GitBook: [#3615] No subject
Before Width: | Height: | Size: 74 KiB |
Before Width: | Height: | Size: 53 KiB After Width: | Height: | Size: 74 KiB |
Before Width: | Height: | Size: 20 KiB After Width: | Height: | Size: 53 KiB |
Before Width: | Height: | Size: 52 KiB After Width: | Height: | Size: 20 KiB |
Before Width: | Height: | Size: 12 KiB |
Before Width: | Height: | Size: 19 KiB After Width: | Height: | Size: 12 KiB |
Before Width: | Height: | Size: 32 KiB After Width: | Height: | Size: 19 KiB |
Before Width: | Height: | Size: 70 KiB |
Before Width: | Height: | Size: 58 KiB After Width: | Height: | Size: 70 KiB |
Before Width: | Height: | Size: 137 KiB |
Before Width: | Height: | Size: 143 KiB After Width: | Height: | Size: 137 KiB |
Before Width: | Height: | Size: 28 KiB After Width: | Height: | Size: 143 KiB |
BIN
.gitbook/assets/image (158) (3).png
Normal file
After Width: | Height: | Size: 161 KiB |
Before Width: | Height: | Size: 161 KiB After Width: | Height: | Size: 45 KiB |
BIN
.gitbook/assets/image (161) (2).png
Normal file
After Width: | Height: | Size: 189 KiB |
Before Width: | Height: | Size: 189 KiB After Width: | Height: | Size: 28 KiB |
BIN
.gitbook/assets/image (175) (2).png
Normal file
After Width: | Height: | Size: 21 KiB |
Before Width: | Height: | Size: 21 KiB After Width: | Height: | Size: 40 KiB |
BIN
.gitbook/assets/image (176) (1).png
Normal file
After Width: | Height: | Size: 42 KiB |
Before Width: | Height: | Size: 42 KiB After Width: | Height: | Size: 41 KiB |
BIN
.gitbook/assets/image (178) (2).png
Normal file
After Width: | Height: | Size: 15 KiB |
Before Width: | Height: | Size: 15 KiB After Width: | Height: | Size: 32 KiB |
BIN
.gitbook/assets/image (182) (1).png
Normal file
After Width: | Height: | Size: 249 KiB |
Before Width: | Height: | Size: 249 KiB After Width: | Height: | Size: 39 KiB |
BIN
.gitbook/assets/image (184) (2).png
Normal file
After Width: | Height: | Size: 85 KiB |
Before Width: | Height: | Size: 85 KiB After Width: | Height: | Size: 73 KiB |
BIN
.gitbook/assets/image (185) (1).png
Normal file
After Width: | Height: | Size: 47 KiB |
Before Width: | Height: | Size: 47 KiB After Width: | Height: | Size: 93 KiB |
BIN
.gitbook/assets/image (188) (1).png
Normal file
After Width: | Height: | Size: 10 KiB |
Before Width: | Height: | Size: 10 KiB After Width: | Height: | Size: 92 KiB |
BIN
.gitbook/assets/image (189) (1).png
Normal file
After Width: | Height: | Size: 12 KiB |
Before Width: | Height: | Size: 12 KiB After Width: | Height: | Size: 52 KiB |
BIN
.gitbook/assets/image (196) (1).png
Normal file
After Width: | Height: | Size: 34 KiB |
Before Width: | Height: | Size: 34 KiB After Width: | Height: | Size: 366 KiB |
BIN
.gitbook/assets/image (197) (1).png
Normal file
After Width: | Height: | Size: 49 KiB |
Before Width: | Height: | Size: 49 KiB After Width: | Height: | Size: 312 KiB |
Before Width: | Height: | Size: 51 KiB |
Before Width: | Height: | Size: 25 KiB After Width: | Height: | Size: 51 KiB |
Before Width: | Height: | Size: 40 KiB After Width: | Height: | Size: 25 KiB |
BIN
.gitbook/assets/image (200) (1).png
Normal file
After Width: | Height: | Size: 25 KiB |
Before Width: | Height: | Size: 25 KiB After Width: | Height: | Size: 58 KiB |
BIN
.gitbook/assets/image (205) (1).png
Normal file
After Width: | Height: | Size: 10 KiB |
Before Width: | Height: | Size: 10 KiB After Width: | Height: | Size: 54 KiB |
Before Width: | Height: | Size: 346 KiB |
Before Width: | Height: | Size: 53 KiB After Width: | Height: | Size: 346 KiB |
Before Width: | Height: | Size: 18 KiB After Width: | Height: | Size: 53 KiB |
BIN
.gitbook/assets/image (3) (5).png
Normal file
After Width: | Height: | Size: 18 KiB |
Before Width: | Height: | Size: 41 KiB After Width: | Height: | Size: 27 KiB |
Before Width: | Height: | Size: 37 KiB |
Before Width: | Height: | Size: 220 KiB After Width: | Height: | Size: 37 KiB |
Before Width: | Height: | Size: 27 KiB After Width: | Height: | Size: 220 KiB |
Before Width: | Height: | Size: 3.2 MiB |
Before Width: | Height: | Size: 53 KiB After Width: | Height: | Size: 3.2 MiB |
Before Width: | Height: | Size: 229 KiB After Width: | Height: | Size: 53 KiB |
Before Width: | Height: | Size: 92 KiB After Width: | Height: | Size: 229 KiB |
Before Width: | Height: | Size: 95 KiB |
Before Width: | Height: | Size: 54 KiB After Width: | Height: | Size: 95 KiB |
Before Width: | Height: | Size: 146 KiB |
Before Width: | Height: | Size: 39 KiB After Width: | Height: | Size: 146 KiB |
BIN
.gitbook/assets/image (70) (3).png
Normal file
After Width: | Height: | Size: 120 KiB |
Before Width: | Height: | Size: 120 KiB After Width: | Height: | Size: 27 KiB |
Before Width: | Height: | Size: 106 KiB |
Before Width: | Height: | Size: 27 KiB After Width: | Height: | Size: 106 KiB |
Before Width: | Height: | Size: 138 KiB |
Before Width: | Height: | Size: 93 KiB After Width: | Height: | Size: 138 KiB |
Before Width: | Height: | Size: 45 KiB After Width: | Height: | Size: 245 KiB |
|
@ -44,7 +44,7 @@ You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stm
|
|||
|
||||
### [SYN CUBES](https://www.syncubes.com/)
|
||||
|
||||
<figure><img src=".gitbook/assets/image (10) (1).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src=".gitbook/assets/image (10).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||
|
||||
|
|
|
@ -117,7 +117,7 @@ In your project folder have appeared the files: **DllExport.bat** and **DllExpor
|
|||
|
||||
Press **Uninstall** (yeah, its weird but trust me, it is necessary)
|
||||
|
||||
![](<../.gitbook/assets/image (5) (1) (1).png>)
|
||||
![](<../.gitbook/assets/image (5) (1).png>)
|
||||
|
||||
### **Exit Visual Studio and execute DllExport\_configure**
|
||||
|
||||
|
@ -139,7 +139,7 @@ Select **x64** (if you are going to use it inside a x64 box, that was my case),
|
|||
|
||||
Select **Output Type = Class Library** (Project --> SalseoLoader Properties --> Application --> Output type = Class Library)
|
||||
|
||||
![](<../.gitbook/assets/image (10) (1) (1).png>)
|
||||
![](<../.gitbook/assets/image (10) (1).png>)
|
||||
|
||||
Select **x64** **platform** (Project --> SalseoLoader Properties --> Build --> Platform target = x64)
|
||||
|
||||
|
|
|
@ -12,7 +12,7 @@
|
|||
|
||||
</details>
|
||||
|
||||
<img src="../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||
<img src="../.gitbook/assets/image (10).png" alt="" data-size="original">
|
||||
|
||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||
|
||||
|
@ -195,7 +195,7 @@ openssl pkcs7 -print_certs -in certificatename.p7b -out certificatename.cer
|
|||
openssl pkcs12 -export -in certificatename.cer -inkey privateKey.key -out certificatename.pfx -certfile cacert.cer
|
||||
```
|
||||
|
||||
<img src="../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||
<img src="../.gitbook/assets/image (10).png" alt="" data-size="original">
|
||||
|
||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||
|
||||
|
|
|
@ -12,7 +12,7 @@
|
|||
|
||||
</details>
|
||||
|
||||
<img src="../../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||
<img src="../../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
||||
|
||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||
|
||||
|
@ -266,7 +266,7 @@ Opera **stores browser history and download data in the exact same format as Goo
|
|||
* **Browser’s built-in anti-phishing:** `grep --color 'fraud_protection_enabled' ~/Library/Application Support/com.operasoftware.Opera/Preferences`
|
||||
* **fraud\_protection\_enabled** should be **true**
|
||||
|
||||
<img src="../../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||
<img src="../../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
||||
|
||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||
|
||||
|
|
|
@ -12,7 +12,7 @@
|
|||
|
||||
</details>
|
||||
|
||||
<img src="../../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||
<img src="../../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
||||
|
||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||
|
||||
|
@ -111,7 +111,7 @@ Other tables inside this database contain more interesting information:
|
|||
* **deleted\_fields**: Dropbox deleted files
|
||||
* **date\_added**
|
||||
|
||||
<img src="../../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||
<img src="../../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
||||
|
||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||
|
||||
|
|
|
@ -12,7 +12,7 @@
|
|||
|
||||
</details>
|
||||
|
||||
<img src="../../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||
<img src="../../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
||||
|
||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||
|
||||
|
|
|
@ -12,7 +12,7 @@
|
|||
|
||||
</details>
|
||||
|
||||
<img src="../../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||
<img src="../../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
||||
|
||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||
|
||||
|
|
|
@ -84,7 +84,7 @@ After that, the neighborhood between the legitimate EIGRP routers is established
|
|||
|
||||
EIGRP Neighborship with GW1 (10.10.100.100):
|
||||
|
||||
<figure><img src="../../.gitbook/assets/image (5) (1).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../.gitbook/assets/image (5).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
EIGRP Neighborship with GW2 (10.10.100.200):
|
||||
|
||||
|
@ -141,7 +141,7 @@ Arguments of the script:
|
|||
|
||||
**Our host seems to be in trouble :)**
|
||||
|
||||
<figure><img src="../../.gitbook/assets/image (6) (3).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../.gitbook/assets/image (6).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
As you can see, the host loses connectivity to host **172.16.100.140/32** due to route injection.
|
||||
|
||||
|
@ -149,7 +149,7 @@ As you can see, the host loses connectivity to host **172.16.100.140/32** due to
|
|||
|
||||
To establish EIGRP neighbors, **routers use special K-values.** They must be the same among all EIGRP neighbors. If at least one K-value does not match, the EIGRP domain will crash and the neighborhood will be broken. We will use [**relationshipnightmare.py**](https://github.com/in9uz/EIGRPWN/blob/main/relationshipnightmare.py) **** to perform this attack**.**
|
||||
|
||||
<figure><img src="../../.gitbook/assets/image (12) (1).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../.gitbook/assets/image (12).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
Script arguments:
|
||||
|
||||
|
@ -163,7 +163,7 @@ Script arguments:
|
|||
~$ sudo python3 relationshipnightmare.py --interface eth0 --as 1 --src 10.10.100.100
|
||||
```
|
||||
|
||||
<figure><img src="../../.gitbook/assets/image (9) (3).png" alt=""><figcaption><p>Dump of traffic during a neighborhood disruption</p></figcaption></figure>
|
||||
<figure><img src="../../.gitbook/assets/image (9).png" alt=""><figcaption><p>Dump of traffic during a neighborhood disruption</p></figcaption></figure>
|
||||
|
||||
<figure><img src="../../.gitbook/assets/image (27).png" alt=""><figcaption><p>GW1 router endlessly disconnects and reconnects EIGRP</p></figcaption></figure>
|
||||
|
||||
|
|
|
@ -72,7 +72,7 @@ We will be able to extract this information by analyzing GLBP traffic. We will u
|
|||
|
||||
As we see, only two routers are involved in the GLBP process: **10.10.100.100 and 10.10.100.200.**
|
||||
|
||||
<figure><img src="../../.gitbook/assets/image (158).png" alt=""><figcaption><p><strong>GLBP Ads</strong></p></figcaption></figure>
|
||||
<figure><img src="../../.gitbook/assets/image (158) (3).png" alt=""><figcaption><p><strong>GLBP Ads</strong></p></figcaption></figure>
|
||||
|
||||
<figure><img src="../../.gitbook/assets/image (271).png" alt=""><figcaption><p>GLBP Advertisement from first router</p></figcaption></figure>
|
||||
|
||||
|
@ -99,7 +99,7 @@ Select the router at IP address **10.10.100.100** and activate the **Get IP** op
|
|||
|
||||
<figure><img src="../../.gitbook/assets/image (222).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
<figure><img src="../../.gitbook/assets/image (161).png" alt=""><figcaption><p>The structure of a malicious GLBP injection</p></figcaption></figure>
|
||||
<figure><img src="../../.gitbook/assets/image (161) (2).png" alt=""><figcaption><p>The structure of a malicious GLBP injection</p></figcaption></figure>
|
||||
|
||||
As you can see, the AVG router is now pretending to be an attacking system. **The priority value is 255, the weight value is 255, i.e. the maximum.**
|
||||
|
||||
|
|
|
@ -34,7 +34,7 @@ Before we switch to trunk mode, we need to list the existing VLANs and find out
|
|||
SW1# show vlan brief
|
||||
```
|
||||
|
||||
<figure><img src="../../.gitbook/assets/image (178).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../.gitbook/assets/image (178) (2).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
**Here we go. Enter interface configuration mode and go into trunk mode.**
|
||||
|
||||
|
@ -46,7 +46,7 @@ SW1(config-if)# switchport mode trunk
|
|||
|
||||
During the switch to trunk mode, connectivity is lost. But I will fix that.
|
||||
|
||||
<figure><img src="../../.gitbook/assets/image (70).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../.gitbook/assets/image (70) (3).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
Create virtual interfaces and “hang” VLAN ID on them, and then raise them.
|
||||
|
||||
|
|
|
@ -16,6 +16,7 @@ This info was taken from the posts:
|
|||
|
||||
* [https://posts.specterops.io/attacking-freeipa-part-i-authentication-77e73d837d6a](https://posts.specterops.io/attacking-freeipa-part-i-authentication-77e73d837d6a)
|
||||
* [https://posts.specterops.io/attacking-freeipa-part-ii-enumeration-ad27224371e1](https://posts.specterops.io/attacking-freeipa-part-ii-enumeration-ad27224371e1)
|
||||
* [https://www.youtube.com/watch?v=9dOu-7BTwPQ\&feature=youtu.be](https://www.youtube.com/watch?v=9dOu-7BTwPQ\&feature=youtu.be)
|
||||
|
||||
## Basic Information
|
||||
|
||||
|
@ -49,6 +50,12 @@ It is an open source **alternative** to Microsoft Windows **Active** **Directory
|
|||
* **kswitch:** The kswitch command will **switch** the current **credential cache in use**.
|
||||
* **kvno:** The kvno binary acquires a **service ticket** for the **specified Kerberos** principals and prints out the key version numbers of each.
|
||||
|
||||
### Network
|
||||
|
||||
This is how a FreeIPA server might look like:
|
||||
|
||||
<figure><img src="../.gitbook/assets/image (197).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
## Authentication
|
||||
|
||||
Since FreeIPA uses **Kerberos for authentication**, this process is very similar to **authentication** in **Active Directory**. In order to **access** resources on the domain, a user must have a v**alid Kerberos ticket** for that resource. These tickets can be stored in a number of different locations based on the configuration of the FreeIPA domain.
|
||||
|
@ -66,7 +73,7 @@ When tickets are set to be **stored** as a **file** on **disk**, the standard fo
|
|||
klist /tmp/krb5cc_0
|
||||
```
|
||||
|
||||
<figure><img src="../.gitbook/assets/image (4).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../.gitbook/assets/image (70).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
For an attacker re-using a CCACHE Ticket is very easy. To **re-use** a valid CCACHE Ticket, **export** **KRB5CCNAME** to the **path** of the valid ticket file. The system should recognize the environment variable and will attempt to use that credential material when interacting with the domain.
|
||||
|
||||
|
@ -75,9 +82,9 @@ export KRB5CCNAME=/tmp/krb5cc_0
|
|||
klist
|
||||
```
|
||||
|
||||
<figure><img src="../.gitbook/assets/image (2).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../.gitbook/assets/image (175).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
#### **Unix Keyring**
|
||||
### **Unix Keyring**
|
||||
|
||||
CCACHE Tickets **** can also be **stored** in **** the Linux **keyring**. The keyring lives inside of the **kernel**, and gives administrators **more control over the retrieval and use of stored tickets**. Tickets can be scoped in the following different ways:
|
||||
|
||||
|
@ -89,11 +96,11 @@ CCACHE Tickets **** can also be **stored** in **** the Linux **keyring**. The ke
|
|||
|
||||
Depending on how the administrator scoped the ticket stored inside of the Unix keyring, parsing it out may be difficult. However, the **default** **scope** for CCACHE Tickets in the Unix keyring is **`KEYRING:persistent:uidnumber`**. Fortunately if you are in the **context** of the **user**, `klist` can **parse** this information for us.
|
||||
|
||||
<figure><img src="../.gitbook/assets/image (8).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../.gitbook/assets/image (3).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
As an attacker, **re-using a CCACHE** Ticket stored in the Unix **keyring** is fairly **difficult** depending on how the ticket is scoped. Fortunately [@Zer1t0](https://github.com/Zer1t0) from [@Tarlogic](https://twitter.com/Tarlogic) has built a tool that can extract Kerberos tickets from the Unix keyring. The tool is called **Tickey** and can be found [**here**](https://github.com/TarlogicSecurity/tickey).
|
||||
|
||||
<figure><img src="../.gitbook/assets/image (9).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../.gitbook/assets/image (185).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
### Keytab <a href="#ff38" id="ff38"></a>
|
||||
|
||||
|
@ -107,7 +114,7 @@ Keytab files can be used to **obtain a valid ticket granting ticket** (TGT) for
|
|||
|
||||
Parsing a Keytab file is very easy, and can be accomplished a few ways. The easiest way to **parse** a **keytab** file is with **klist**. The second way utilizes a great python utility that [Cody Thomas](https://medium.com/u/645ffcef8682?source=post\_page-----77e73d837d6a--------------------------------) has created. His **** [**KeytabParser**](https://github.com/its-a-feature/KeytabParser) **** project will parse out the principal and its relevant encrypted keys.
|
||||
|
||||
<figure><img src="../.gitbook/assets/image (11).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../.gitbook/assets/image (200).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
Attackers can **re-use credentials stored in keytab files by generating a CCACHE Ticket** through the kinit binary.
|
||||
|
||||
|
@ -119,7 +126,7 @@ klist -k /rtc/krb5.keytab
|
|||
kinit -kt /etc/krb5.keytab host/bastion.westeros.local@WESTEROS.LOCAL
|
||||
```
|
||||
|
||||
<figure><img src="../.gitbook/assets/image (6).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../.gitbook/assets/image (205).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
### Cheatsheet
|
||||
|
||||
|
@ -131,6 +138,12 @@ You can find more information about how to use tickets in linux in the following
|
|||
|
||||
## Enumeration
|
||||
|
||||
{% hint style="warning" %}
|
||||
You could perform the **enumeration** via **ldap** and other **binary** tools, or **connecting to the web page in the port 443 of the FreeIPA server**.
|
||||
{% endhint %}
|
||||
|
||||
<figure><img src="../.gitbook/assets/image (184).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
### Hosts, Users, and Groups <a href="#4b3b" id="4b3b"></a>
|
||||
|
||||
It's possible to crate **hosts**, **users** and **groups**. Hosts and users are sorted into containers called “**Host Groups**” and “**User Groups**” respectively. These are similar to **Organizational Units** (OU).
|
||||
|
@ -173,6 +186,31 @@ ipa host-find <host> --all
|
|||
ipa hostgroup-show <host group> --all
|
||||
```
|
||||
|
||||
{% hint style="info" %}
|
||||
The **admin** user of **FreeIPA** is the equivalent to **domain admins** from **AD**.
|
||||
{% endhint %}
|
||||
|
||||
### Hashes <a href="#482b" id="482b"></a>
|
||||
|
||||
The **root** user from the **IPA serve**r has access to the password **hashes**. 
|
||||
|
||||
* The password hash of a user is stored as **base64** in the “**userPassword**” **attribute**. This hash might be **SSHA512** (old versions of FreeIPA) or **PBKDF2\_SHA256**.
|
||||
* The **Nthash** of the password store as **base64** in “**ipaNTHash**” if system has **integration** with **AD**.
|
||||
|
||||
To crack these hashes:
|
||||
|
||||
• If freeIPA integrated with AD, **ipaNTHash** is easy to crack: You should **decode** **base64** -> re-encoded it as **ASCII** hex -> John The Ripper or **hashcat** can help you to crack it fast 
|
||||
|
||||
• If an old version of FreeIPA is used, so **SSHA512** is used: You should decode **base64** -> find SSHA512 **hash** -> John The Ripper or **hashcat** can help you to crack it 
|
||||
|
||||
• If new version of FreeIPA is used, so **PBKDF2\_SHA256** is used: You should decode **base64** -> find PBKDF2\_SHA256 -> it’s **length** is 256 byte. John can work with 256 bits (32 byte) -> SHA-265 used as the pseudo-random function, block size is 32 byte -> you can use only first 256 bit of our PBKDF2\_SHA256 hash -> John The Ripper or hashcat can help you to crack it
|
||||
|
||||
<figure><img src="../.gitbook/assets/image.png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
To extract the hashes you need to be **root in the FreeIPA server**, there you can use the tool **`dbscan`** to extract them:
|
||||
|
||||
<figure><img src="../.gitbook/assets/image (196).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
### HBAC-Rules <a href="#482b" id="482b"></a>
|
||||
|
||||
There are the rules that grant specific permissions to users or hosts over resources (hosts, services, service groups...)
|
||||
|
@ -203,7 +241,7 @@ ipa sudorule-show <sudorule> --all
|
|||
|
||||
Each **role** contains a set of **privileges**, and those respective privileges contain a **set** of **permissions**. Roles can be **applied to Users**, User **Groups**, **Hosts**, Host Groups, and Services. To illustrate this concept let’s discuss the default “User Administrator” role in FreeIPA.
|
||||
|
||||
<figure><img src="../.gitbook/assets/image (12).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../.gitbook/assets/image (161).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
As the screenshot above shows the “User Administrator” role contains the following privileges:
|
||||
|
||||
|
@ -213,7 +251,7 @@ As the screenshot above shows the “User Administrator” role contains the fol
|
|||
|
||||
We can drill down further and enumerate the **permissions** delegated to each **privilege**:
|
||||
|
||||
<figure><img src="../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../.gitbook/assets/image (189).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
As we can see the “**User Administrator**” role contains quite **a lot of permissions** inside of the environment. Understanding the general concept and structure of **roles**, **privileges**, and **permissions** can be critical to identifying attack paths throughout an environment.
|
||||
|
||||
|
@ -245,19 +283,19 @@ If you can **create a new user with the name `root`**, you can impersonate him a
|
|||
|
||||
The "**User Administrators**" privilege, is very powerful (as its name indicates it):
|
||||
|
||||
<figure><img src="../.gitbook/assets/image (7).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../.gitbook/assets/image (182).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
With this privilege comes a lot of different power to affect users inside the environment. Using this privilege we can **make a new user inside the FreeIPA domain named **_**root**._
|
||||
|
||||
<figure><img src="../.gitbook/assets/image.png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../.gitbook/assets/image (158).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
Once the user is created in the domain we can **obtain a ticket for the account with **_**kinit**_.
|
||||
|
||||
<figure><img src="../.gitbook/assets/image (10).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../.gitbook/assets/image (178).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
Now we can attempt to **SSH** using our newly created root domain account.
|
||||
|
||||
<figure><img src="../.gitbook/assets/image (3).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../.gitbook/assets/image (176).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
As shown this **drops the user into the local root account**! So simply by creating a domain user for a local user we were able to authenticate using the _root@WESTEROS.LOCAL_ account and obtain the **user context of the local root account**_._
|
||||
|
||||
|
|
|
@ -12,7 +12,7 @@
|
|||
|
||||
</details>
|
||||
|
||||
<img src="../../../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||
<img src="../../../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
||||
|
||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||
|
||||
|
@ -508,7 +508,7 @@ If you only have `hostIPC=true`, you most likely can't do much. If any process o
|
|||
|
||||
The second technique explained in the post [https://labs.f-secure.com/blog/abusing-the-access-to-mount-namespaces-through-procpidroot/](https://labs.f-secure.com/blog/abusing-the-access-to-mount-namespaces-through-procpidroot/) indicates how you can abuse bind mounts with user namespaces, to affect files inside the host (in that specific case, delete files).
|
||||
|
||||
<img src="../../../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||
<img src="../../../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
||||
|
||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||
|
||||
|
@ -557,7 +557,7 @@ If you are in **userspace** (**no kernel exploit** involved) the way to find new
|
|||
* [https://0xn3va.gitbook.io/cheat-sheets/container/escaping/exposed-docker-socket](https://0xn3va.gitbook.io/cheat-sheets/container/escaping/exposed-docker-socket)
|
||||
* [https://bishopfox.com/blog/kubernetes-pod-privilege-escalation#Pod4](https://bishopfox.com/blog/kubernetes-pod-privilege-escalation#Pod4)
|
||||
|
||||
<img src="../../../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||
<img src="../../../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
||||
|
||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||
|
||||
|
|
|
@ -12,7 +12,7 @@
|
|||
|
||||
</details>
|
||||
|
||||
<img src="../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||
<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
||||
|
||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||
|
||||
|
@ -345,7 +345,7 @@ If you are inside a filesystem with the **read-only and noexec protections** the
|
|||
* [https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0](https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0)
|
||||
* [https://www.secjuice.com/web-application-firewall-waf-evasion/](https://www.secjuice.com/web-application-firewall-waf-evasion/)
|
||||
|
||||
<img src="../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||
<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
||||
|
||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||
|
||||
|
|
|
@ -275,7 +275,7 @@ When creating a new emulator on any platform remember that the bigger the screen
|
|||
|
||||
As most people will use **Genymotion**, note this trick. To **install google services** (like AppStore) you need to click on the red marked button of the following image:
|
||||
|
||||
![](<../../.gitbook/assets/image (200).png>)
|
||||
![](<../../.gitbook/assets/image (200) (1).png>)
|
||||
|
||||
Also, notice that in the **configuration of the Android VM in Genymotion** you can select **Bridge Network mode** (this will be useful if you will be connecting to the Android VM from a different VM with the tools).
|
||||
|
||||
|
|
|
@ -12,7 +12,7 @@
|
|||
|
||||
</details>
|
||||
|
||||
<img src="../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||
<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
||||
|
||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||
|
||||
|
@ -86,7 +86,7 @@ After installing Certificate SSL endpoints also working fine tested using → [h
|
|||
After installing the certificate this way Firefox for Android won't use it (based on my tests), so use a different browser.
|
||||
{% endhint %}
|
||||
|
||||
<img src="../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||
<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
||||
|
||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||
|
||||
|
|
|
@ -1,28 +1,23 @@
|
|||
|
||||
# Drozer Tutorial
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
||||
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
|
||||
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
|
||||
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
|
||||
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
|
||||
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
# APKs to test
|
||||
## APKs to test
|
||||
|
||||
* [Sieve](https://github.com/mwrlabs/drozer/releases/download/2.3.4/sieve.apk) (from mrwlabs)
|
||||
* [DIVA](https://payatu.com/wp-content/uploads/2016/01/diva-beta.tar.gz)
|
||||
|
||||
# Installation
|
||||
## Installation
|
||||
|
||||
Install Drozer Client inside your host. Download it from the [latest releases](https://github.com/mwrlabs/drozer/releases).
|
||||
|
||||
|
@ -38,9 +33,9 @@ Download and install drozer APK from the [latest releases](https://github.com/mw
|
|||
adb install drozer.apk
|
||||
```
|
||||
|
||||
## Starting the Server
|
||||
### Starting the Server
|
||||
|
||||
Agent is running on port 31415, we need to [port forward](https://en.wikipedia.org/wiki/Port_forwarding) to establish the communication between the Drozer Client and Agent, here is the command to do so:
|
||||
Agent is running on port 31415, we need to [port forward](https://en.wikipedia.org/wiki/Port\_forwarding) to establish the communication between the Drozer Client and Agent, here is the command to do so:
|
||||
|
||||
```
|
||||
adb forward tcp:31415 tcp:31415
|
||||
|
@ -56,7 +51,7 @@ And connect to it:
|
|||
drozer console connect
|
||||
```
|
||||
|
||||
# Interesting Commands
|
||||
## Interesting Commands
|
||||
|
||||
| **Commands** | **Description** |
|
||||
| --------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
|
||||
|
@ -73,7 +68,7 @@ drozer console connect
|
|||
| **exploit** | Drozer can create exploits to execute in the decide. `drozer exploit list` |
|
||||
| **payload** | The exploits need a payload. `drozer payload list` |
|
||||
|
||||
## Package
|
||||
### Package
|
||||
|
||||
Find the **name** of the package filtering by part of the name:
|
||||
|
||||
|
@ -127,7 +122,7 @@ Attack Surface:
|
|||
* **Services**:
|
||||
* **is debuggable**: [Learn more](./#is-debuggeable)
|
||||
|
||||
## Activities
|
||||
### Activities
|
||||
|
||||
An exported activity component’s “android:exported” value is set to **“true”** in the AndroidManifest.xml file:
|
||||
|
||||
|
@ -163,11 +158,11 @@ You can also start an exported activity from **adb**:
|
|||
adb shell am start -n com.example.demo/com.example.test.MainActivity
|
||||
```
|
||||
|
||||
## Content Providers
|
||||
### Content Providers
|
||||
|
||||
This post was so big to be here so **you can** [**access it in its own page here**](exploiting-content-providers.md).
|
||||
|
||||
## Services
|
||||
### Services
|
||||
|
||||
A exported service is declared inside the Manifest.xml:
|
||||
|
||||
|
@ -175,11 +170,11 @@ A exported service is declared inside the Manifest.xml:
|
|||
<service android:name=".AuthService" android:exported="true" android:process=":remote"/>
|
||||
```
|
||||
|
||||
Inside the code **check** for the **`handleMessage`**function which will **receive** the **message**:
|
||||
Inside the code **check** for the \*\*`handleMessage`\*\*function which will **receive** the **message**:
|
||||
|
||||
![](<../../../.gitbook/assets/image (194).png>)
|
||||
|
||||
### List service
|
||||
#### List service
|
||||
|
||||
```
|
||||
dz> run app.service.info -a com.mwr.example.sieve
|
||||
|
@ -190,7 +185,7 @@ Package: com.mwr.example.sieve
|
|||
Permission: null
|
||||
```
|
||||
|
||||
### **Interact** with a service
|
||||
#### **Interact** with a service
|
||||
|
||||
```
|
||||
app.service.send Send a Message to a service, and display the reply
|
||||
|
@ -198,11 +193,11 @@ app.service.start Start Service
|
|||
app.service.stop Stop Service
|
||||
```
|
||||
|
||||
### Example
|
||||
#### Example
|
||||
|
||||
Take a look to the **drozer** help for `app.service.send`:
|
||||
|
||||
![](<../../../.gitbook/assets/image (196).png>)
|
||||
![](<../../../.gitbook/assets/image (196) (1).png>)
|
||||
|
||||
Note that you will be sending first the data inside "_msg.what_", then "_msg.arg1_" and "_msg.arg2_", you should check inside the code **which information is being used** and where.\
|
||||
Using the `--extra` option you can send something interpreted by "_msg.replyTo"_, and using `--bundle-as-obj` you create and object with the provided details.
|
||||
|
@ -220,9 +215,9 @@ run app.service.send com.mwr.example.sieve com.mwr.example.sieve.AuthService --m
|
|||
|
||||
![](<../../../.gitbook/assets/image (195).png>)
|
||||
|
||||
## Broadcast Receivers
|
||||
### Broadcast Receivers
|
||||
|
||||
Android apps can send or receive broadcast messages from the Android system and other Android apps, similar to the [publish-subscribe](https://en.wikipedia.org/wiki/Publish%E2%80%93subscribe_pattern) design pattern. These broadcasts are sent when an event of interest occurs. For example, the Android system sends broadcasts when various system events occur, such as when the system boots up or the device starts charging. Apps can also send custom broadcasts, for example, to notify other apps of something that they might be interested in (for example, some new data has been downloaded).
|
||||
Android apps can send or receive broadcast messages from the Android system and other Android apps, similar to the [publish-subscribe](https://en.wikipedia.org/wiki/Publish%E2%80%93subscribe\_pattern) design pattern. These broadcasts are sent when an event of interest occurs. For example, the Android system sends broadcasts when various system events occur, such as when the system boots up or the device starts charging. Apps can also send custom broadcasts, for example, to notify other apps of something that they might be interested in (for example, some new data has been downloaded).
|
||||
|
||||
Apps can register to receive specific broadcasts. When a broadcast is sent, the system automatically routes broadcasts to apps that have subscribed to receive that particular type of broadcast.
|
||||
|
||||
|
@ -239,15 +234,15 @@ This could appear inside the Manifest.xml file:
|
|||
|
||||
From: [https://developer.android.com/guide/components/broadcasts](https://developer.android.com/guide/components/broadcasts)
|
||||
|
||||
After discovering this Broadcast Receivers you should **check the code** of them. Pay special attention to the **`onReceive`**function as it will be handling the messages received.
|
||||
After discovering this Broadcast Receivers you should **check the code** of them. Pay special attention to the \*\*`onReceive`\*\*function as it will be handling the messages received.
|
||||
|
||||
### **Detect all** broadcast receivers
|
||||
#### **Detect all** broadcast receivers
|
||||
|
||||
```bash
|
||||
run app.broadcast.info #Detects all
|
||||
```
|
||||
|
||||
### Check broadcast receivers of an app
|
||||
#### Check broadcast receivers of an app
|
||||
|
||||
```bash
|
||||
#Check one negative
|
||||
|
@ -270,7 +265,7 @@ Package: com.google.android.youtube
|
|||
Permission: null
|
||||
```
|
||||
|
||||
### Broadcast **Interactions**
|
||||
#### Broadcast **Interactions**
|
||||
|
||||
```
|
||||
app.broadcast.info Get information about broadcast receivers
|
||||
|
@ -278,13 +273,13 @@ app.broadcast.send Send broadcast using an intent
|
|||
app.broadcast.sniff Register a broadcast receiver that can sniff particular intents
|
||||
```
|
||||
|
||||
### Send a message
|
||||
#### Send a message
|
||||
|
||||
In this example abusing the [FourGoats apk](https://github.com/linkedin/qark/blob/master/tests/goatdroid.apk) Content Provider you can **send an arbitrary SMS** any non-premium destination **without asking** the user for permission.
|
||||
|
||||
![](<../../../.gitbook/assets/image (199).png>)
|
||||
|
||||
![](<../../../.gitbook/assets/image (197).png>)
|
||||
![](<../../../.gitbook/assets/image (197) (1).png>)
|
||||
|
||||
If you read the code, the parameters "_phoneNumber_" and "_message_" must be sent to the Content Provider.
|
||||
|
||||
|
@ -292,7 +287,7 @@ If you read the code, the parameters "_phoneNumber_" and "_message_" must be sen
|
|||
run app.broadcast.send --action org.owasp.goatdroid.fourgoats.SOCIAL_SMS --component org.owasp.goatdroid.fourgoats.broadcastreceivers SendSMSNowReceiver --extra string phoneNumber 123456789 --extra string message "Hello mate!"
|
||||
```
|
||||
|
||||
## Is debuggeable
|
||||
### Is debuggeable
|
||||
|
||||
A prodduction APK should never be debuggeable.\
|
||||
This mean that you can **attach java debugger** to the running application, inspect it in run time, set breakpoints, go step by step, gather variable values and even change them.[ InfoSec institute has an excellent article](../exploiting-a-debuggeable-applciation.md) on digging deeper when you application is debuggable and injecting runtime code.
|
||||
|
@ -309,30 +304,23 @@ You can find all debuggeable applications with **Drozer**:
|
|||
run app.package.debuggable
|
||||
```
|
||||
|
||||
# Tutorials
|
||||
## Tutorials
|
||||
|
||||
* [https://resources.infosecinstitute.com/android-penetration-tools-walkthrough-series-drozer/#gref](https://resources.infosecinstitute.com/android-penetration-tools-walkthrough-series-drozer/#gref)
|
||||
* [http://mobiletools.mwrinfosecurity.com/Using-Drozer-for-application-security-assessments/](http://mobiletools.mwrinfosecurity.com/Using-Drozer-for-application-security-assessments/)
|
||||
|
||||
# More info
|
||||
## More info
|
||||
|
||||
* [https://blog.dixitaditya.com/android-pentesting-cheatsheet/](https://blog.dixitaditya.com/android-pentesting-cheatsheet/)
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
||||
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
|
||||
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
|
||||
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
|
||||
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
|
||||
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -110,9 +110,9 @@ email: incognitoguy50@gmail.com
|
|||
|
||||
Quering the database you will learn the **name of the columns**, then, you could be able to insert data in the DB:
|
||||
|
||||
![](<../../../.gitbook/assets/image (188).png>)
|
||||
![](<../../../.gitbook/assets/image (188) (1).png>)
|
||||
|
||||
![](<../../../.gitbook/assets/image (189).png>)
|
||||
![](<../../../.gitbook/assets/image (189) (1).png>)
|
||||
|
||||
_Note that in insert and update you can use --string to indicate string, --double to indicate a double, --float, --integer, --long, --short, --boolean_
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# iOS Pentesting Checklist
|
||||
|
||||
<img src="../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||
<img src="../.gitbook/assets/image (10).png" alt="" data-size="original">
|
||||
|
||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||
|
||||
|
@ -118,7 +118,7 @@
|
|||
|
||||
</details>
|
||||
|
||||
<img src="../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||
<img src="../.gitbook/assets/image (10).png" alt="" data-size="original">
|
||||
|
||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# iOS Pentesting
|
||||
|
||||
<img src="../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||
<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
||||
|
||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||
|
||||
|
@ -382,7 +382,7 @@ struct CGSize {
|
|||
|
||||
However, the best options to disassemble the binary are: [**Hopper**](https://www.hopperapp.com/download.html?) and [**IDA**](https://www.hex-rays.com/products/ida/support/download\_freeware/).
|
||||
|
||||
<img src="../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||
<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
||||
|
||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||
|
||||
|
@ -742,7 +742,7 @@ Jun 7 13:42:14 iPhone touch[9708] <Notice>: MS:Notice: Injecting: (null) [touch
|
|||
...
|
||||
```
|
||||
|
||||
<img src="../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||
<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
||||
|
||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||
|
||||
|
@ -1166,7 +1166,7 @@ You can find the **libraries used by an application** by running **`otool`** aga
|
|||
* [https://github.com/authenticationfailure/WheresMyBrowser.iOS](https://github.com/authenticationfailure/WheresMyBrowser.iOS)
|
||||
* [https://github.com/nabla-c0d3/ssl-kill-switch2](https://github.com/nabla-c0d3/ssl-kill-switch2)
|
||||
|
||||
<img src="../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||
<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
||||
|
||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||
|
||||
|
|
|
@ -12,7 +12,7 @@
|
|||
|
||||
</details>
|
||||
|
||||
<img src="../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||
<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
||||
|
||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||
|
||||
|
@ -118,7 +118,7 @@ Steps to configure Burp as proxy:
|
|||
|
||||
* Click on _**Ok**_ and the in _**Apply**_
|
||||
|
||||
<img src="../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||
<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
||||
|
||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||
|
||||
|
|
|
@ -12,7 +12,7 @@
|
|||
|
||||
</details>
|
||||
|
||||
<img src="../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||
<img src="../.gitbook/assets/image (10).png" alt="" data-size="original">
|
||||
|
||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||
|
||||
|
@ -323,7 +323,7 @@ Entry_1:
|
|||
Command: rmg enum {IP} {PORT}
|
||||
```
|
||||
|
||||
<img src="../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||
<img src="../.gitbook/assets/image (10).png" alt="" data-size="original">
|
||||
|
||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||
|
||||
|
|
|
@ -43,11 +43,11 @@ sudo loki_gtk.py
|
|||
|
||||
You also need to specify the path to the dictionary in order to bruteforce the encrypted key. Be sure to uncheck the **Use Bruteforce** option, otherwise Loki will bruteforce the password without using the dictionary.
|
||||
|
||||
<figure><img src="../.gitbook/assets/image (11) (3).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../.gitbook/assets/image (11).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
Now we have to wait for an administrator to log into the device through the TACACS server. It is assumed that the network administrator has already logged in, and we, **standing in the middle via ARP spoofing**, intercept the traffic. And in doing so, the legitimate hosts don’t realize that someone else has interfered with their connection.
|
||||
|
||||
<figure><img src="../.gitbook/assets/image (8) (3).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../.gitbook/assets/image (8).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
Now click the **CRACK** button and wait for **Loki** to break the password.
|
||||
|
||||
|
@ -65,7 +65,7 @@ We see which banner was used.
|
|||
|
||||
We find the username of the user `admin`
|
||||
|
||||
<figure><img src="../.gitbook/assets/image (7) (2).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../.gitbook/assets/image (7).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
As a result, **we have the `admin:secret1234` credentials,** which can be used to access the hardware itself. **I think I’ll check their validity.**
|
||||
|
||||
|
|
|
@ -314,7 +314,7 @@ MSSQL could allow you to execute **scripts in Python and/or R**. These code will
|
|||
|
||||
Example trying to execute a **'R'** _"Hellow World!"_ **not working**:
|
||||
|
||||
![](<../../.gitbook/assets/image (185).png>)
|
||||
![](<../../.gitbook/assets/image (185) (1).png>)
|
||||
|
||||
Example using configured python to perform several actions:
|
||||
|
||||
|
|
|
@ -244,7 +244,7 @@ In[ this **writeup**](https://www.wiz.io/blog/the-cloud-has-an-isolation-problem
|
|||
|
||||
When you try to **make another user owner of a table** you should get an **error** preventing it, but apparently GCP gave that **option to the not-superuser postgres user** in GCP:
|
||||
|
||||
<figure><img src="../.gitbook/assets/image (4) (1).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../.gitbook/assets/image (4).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
Joining this idea with the fact that when the **INSERT/UPDATE/**[**ANALYZE**](https://www.postgresql.org/docs/13/sql-analyze.html) commands are executed on a **table with an index function**, the **function** is **called** as part of the command with the **table** **owner’s permissions**. It's possible to create an index with a function and give owner permissions to a **super user** over that table, and then run ANALYZE over the table with the malicious function that will be able to execute commands because it's using the privileges of the owner.
|
||||
|
||||
|
|
|
@ -12,7 +12,7 @@
|
|||
|
||||
</details>
|
||||
|
||||
<img src="../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||
<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
||||
|
||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||
|
||||
|
@ -86,7 +86,7 @@ Command line tool to brute-force websites using cookies crafted with flask-unsig
|
|||
|
||||
[**This example**](../../pentesting-web/sql-injection/sqlmap/#eval) uses sqlmap `eval` option to **automatically sign sqlmap payloads** for flask using a known secret.
|
||||
|
||||
<img src="../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||
<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
||||
|
||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||
|
||||
|
|
|
@ -60,7 +60,7 @@ It's interesting to know if the **errors** are going to be **shown** as they wil
|
|||
?query={thisdefinitelydoesnotexist}
|
||||
```
|
||||
|
||||
![](<../../.gitbook/assets/image (205).png>)
|
||||
![](<../../.gitbook/assets/image (205) (1).png>)
|
||||
|
||||
**Enumerate Database Schema via Introspection**
|
||||
|
||||
|
@ -263,7 +263,7 @@ Authentication through GraphQL API with **simultaneously sending many queries wi
|
|||
|
||||
Below you can find the simplest demonstration of an application authentication request, with **3 different email/passwords pairs at a time**. Obviously it’s possible to send thousands in a single request in the same way:
|
||||
|
||||
![](<../../.gitbook/assets/image (182).png>)
|
||||
![](<../../.gitbook/assets/image (182) (1).png>)
|
||||
|
||||
As we can see from the response screenshot, the first and the third requests returned _null_ and reflected the corresponding information in the _error_ section. The **second mutation had the correct authentication** data and the response has the correct authentication session token.
|
||||
|
||||
|
|
|
@ -12,7 +12,7 @@
|
|||
|
||||
</details>
|
||||
|
||||
<img src="../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||
<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
||||
|
||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||
|
||||
|
@ -133,7 +133,7 @@ AutoRepeater Burp Extension: Add a replacement rule
|
|||
* `Match: v2 (higher version)`
|
||||
* `Replace: v1 (lower version)`
|
||||
|
||||
<img src="../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||
<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
||||
|
||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||
|
||||
|
@ -223,7 +223,7 @@ kr brute https://domain.com/api/ -w /tmp/lang-english.txt -x 20 -d=0
|
|||
* [**API-fuzzer**](https://github.com/Fuzzapi/API-fuzzer): API\_Fuzzer gem accepts a API request as input and returns vulnerabilities possible in the API.
|
||||
* [**race-the-web**](https://github.com/TheHackerDev/race-the-web): Tests for race conditions in web applications by sending out a user-specified number of requests to a target URL (or URLs) _simultaneously_, and then compares the responses from the server for uniqueness.
|
||||
|
||||
<img src="../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||
<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
||||
|
||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||
|
||||
|
|
|
@ -12,7 +12,7 @@
|
|||
|
||||
</details>
|
||||
|
||||
<img src="../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||
<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
||||
|
||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||
|
||||
|
@ -99,7 +99,7 @@ curl -s -X GET https://wordpress.org/support/article/pages/ | grep -E 'wp-conten
|
|||
curl -s -X GET https://wordpress.org/support/article/pages/ | grep http | grep -E '?ver=' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2
|
||||
```
|
||||
|
||||
<img src="../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||
<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
||||
|
||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||
|
||||
|
@ -210,7 +210,7 @@ Using the correct credentials you can upload a file. In the response the path wi
|
|||
|
||||
Also there is a **faster way** to brute-force credentials using **`system.multicall`** as you can try several credentials on the same request:
|
||||
|
||||
<figure><img src="../../.gitbook/assets/image (5).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../.gitbook/assets/image (188).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
**Bypass 2FA**
|
||||
|
||||
|
@ -281,7 +281,7 @@ wpscan --rua -e ap,at,tt,cb,dbe,u,m --url http://www.domain.com [--plugins-detec
|
|||
#You can try to bruteforce the admin user using wpscan with "-U admin"
|
||||
```
|
||||
|
||||
<img src="../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||
<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
||||
|
||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||
|
||||
|
@ -423,7 +423,7 @@ Also, **only install trustable WordPress plugins and themes**.
|
|||
* **Limit login attempts** to prevent Brute Force attacks
|
||||
* Rename **`wp-admin.php`** file and only allow access internally or from certain IP addresses.
|
||||
|
||||
<img src="../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||
<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
||||
|
||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||
|
||||
|
|
|
@ -12,7 +12,7 @@
|
|||
|
||||
</details>
|
||||
|
||||
<img src="../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||
<img src="../.gitbook/assets/image (10).png" alt="" data-size="original">
|
||||
|
||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||
|
||||
|
@ -123,7 +123,7 @@ The [Web Cache Vulnerability Scanner](https://github.com/Hackmanit/Web-Cache-Vul
|
|||
|
||||
Example usage: `wcvs -u example.com`
|
||||
|
||||
<img src="../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||
<img src="../.gitbook/assets/image (10).png" alt="" data-size="original">
|
||||
|
||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||
|
||||
|
@ -185,7 +185,7 @@ I found this worked on multiple targets, with user-agents from different tools o
|
|||
|
||||
The header name format is defined in [RFC7230](https://datatracker.ietf.mrg/doc/html/rfc7230) as follows:
|
||||
|
||||
![](<../.gitbook/assets/image (175).png>)
|
||||
![](<../.gitbook/assets/image (175) (2).png>)
|
||||
|
||||
In theory, if a header name contains characters other than the ones listed in **tchar** it should be rejected with a 400 Bad request. In practice, however, servers don't always respect the RFC. The easiest way to exploit this nuance was by targeting Akamai which doesn't reject invalid headers, but forwards them and caches any 400 error as long the cache-control header is not present.
|
||||
|
||||
|
@ -227,7 +227,7 @@ Learn here about how to perform[ Cache Deceptions attacks abusing HTTP Request S
|
|||
* [https://youst.in/posts/cache-poisoning-at-scale/](https://youst.in/posts/cache-poisoning-at-scale/)
|
||||
* [https://bxmbn.medium.com/how-i-test-for-web-cache-vulnerabilities-tips-and-tricks-9b138da08ff9](https://bxmbn.medium.com/how-i-test-for-web-cache-vulnerabilities-tips-and-tricks-9b138da08ff9)
|
||||
|
||||
<img src="../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||
<img src="../.gitbook/assets/image (10).png" alt="" data-size="original">
|
||||
|
||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||
|
||||
|
|
|
@ -12,7 +12,7 @@
|
|||
|
||||
</details>
|
||||
|
||||
<img src="../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||
<img src="../.gitbook/assets/image (10).png" alt="" data-size="original">
|
||||
|
||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||
|
||||
|
@ -175,7 +175,7 @@ See the following documentation for further details and more complex examples:
|
|||
* [**https://portswigger.net/web-security/clickjacking**](https://portswigger.net/web-security/clickjacking)
|
||||
* [**https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking\_Defense\_Cheat\_Sheet.html**](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking\_Defense\_Cheat\_Sheet.html)
|
||||
|
||||
<img src="../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||
<img src="../.gitbook/assets/image (10).png" alt="" data-size="original">
|
||||
|
||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||
|
||||
|
|
|
@ -12,7 +12,7 @@
|
|||
|
||||
</details>
|
||||
|
||||
<img src="../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||
<img src="../.gitbook/assets/image (10).png" alt="" data-size="original">
|
||||
|
||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||
|
||||
|
@ -67,7 +67,7 @@ All of them vulnerable to subdomain takeover. All of them were big brands. Talki
|
|||
|
||||
Nevertheless, recent phishing campaigns host content on domains with long domain names that include name of the brand (see [Apple example](https://www.phishtank.com/target\_search.php?target\_id=183\&valid=y\&active=All\&Search=Search)). Having valid SSL certificate (more on that below), keyword in domain name and website which mimics the website of targeted brand, people tend to fall into these attacks. Think about chances with a legitimate subdomain of this brand.
|
||||
|
||||
<img src="../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||
<img src="../.gitbook/assets/image (10).png" alt="" data-size="original">
|
||||
|
||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||
|
||||
|
@ -159,7 +159,7 @@ Until next time!
|
|||
|
||||
[Patrik](https://twitter.com/0xpatrik)
|
||||
|
||||
<img src="../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||
<img src="../.gitbook/assets/image (10).png" alt="" data-size="original">
|
||||
|
||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||
|
||||
|
|
|
@ -45,7 +45,7 @@ Secondly, the request must be **triggerable in a web-browser cross-domain**. Bro
|
|||
|
||||
The way to test this missconfig is to **send 2 requests and smuggle one** in the **middle**. If the **smuggled** connection **affected** the response of the **second** **request**, it means that it's **vulnerable**:
|
||||
|
||||
![](<../../.gitbook/assets/image (1) (2) (2) (1).png>)
|
||||
![](<../../.gitbook/assets/image (1) (2) (2).png>)
|
||||
|
||||
{% hint style="warning" %}
|
||||
Note that you **cannot** test this vuln by just sending a **Content-Length bigger** than the one sent and **looking for a timeout** because some servers **respond** even if they **didn't receive the whole body**.
|
||||
|
|
|
@ -12,7 +12,7 @@
|
|||
|
||||
</details>
|
||||
|
||||
<img src="../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||
<img src="../.gitbook/assets/image (10).png" alt="" data-size="original">
|
||||
|
||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||
|
||||
|
@ -84,7 +84,7 @@ cmp original.jpg stego.jpg -b -l
|
|||
If you find that a **text line** is **bigger** than it should be, then some **hidden information** could be included inside the **spaces** using invisible characters.\
|
||||
To **extract** the **data**, you can use: [https://www.irongeek.com/i.php?page=security/unicode-steganography-homoglyph-encoder](https://www.irongeek.com/i.php?page=security/unicode-steganography-homoglyph-encoder)
|
||||
|
||||
<img src="../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||
<img src="../.gitbook/assets/image (10).png" alt="" data-size="original">
|
||||
|
||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||
|
||||
|
@ -218,7 +218,7 @@ To read a QR code: [https://online-barcode-reader.inliteresearch.com/](https://o
|
|||
* [**https://0xrick.github.io/lists/stego/**](https://0xrick.github.io/lists/stego/)
|
||||
* [**https://github.com/DominicBreuker/stego-toolkit**](https://github.com/DominicBreuker/stego-toolkit)
|
||||
|
||||
<img src="../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||
<img src="../.gitbook/assets/image (10).png" alt="" data-size="original">
|
||||
|
||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||
|
||||
|
|
|
@ -489,11 +489,11 @@ Notice that the `userPrincipalName` in the certificate is `Administrator` and th
|
|||
|
||||
Then, we change back the `userPrincipalName` of `Jane` to be something else, like her original `userPrincipalName` `Jane@corp.local`.
|
||||
|
||||
<figure><img src="../../../.gitbook/assets/image (4) (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../../.gitbook/assets/image (4) (1).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
Now, if we try to authenticate with the certificate, we will receive the NT hash of the `Administrator@corp.local` user. You will need to add `-domain <domain>` to your command line since there is no domain specified in the certificate.
|
||||
|
||||
<figure><img src="../../../.gitbook/assets/image (1) (2) (2).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../../.gitbook/assets/image (1) (2).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
## Weak Certificate Mappings - ESC10
|
||||
|
||||
|
@ -542,7 +542,7 @@ Then, we change back the `userPrincipalName` of `Jane` to be something else, lik
|
|||
|
||||
Now, if we try to authenticate with the certificate, we will receive the NT hash of the `Administrator@corp.local` user. You will need to add `-domain <domain>` to your command line since there is no domain specified in the certificate.
|
||||
|
||||
<figure><img src="../../../.gitbook/assets/image (3) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../../.gitbook/assets/image (3) (1).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
### Abuse Case 2
|
||||
|
||||
|
|